The premier weekly newspaper for the legal profession in Ontario
Issue link: https://digital.lawtimesnews.com/i/803106
Law Times • march 27, 2017 Page 11 www.lawtimesnews.com Fast response of class action bar after issues occur Mandatory reporting of breaches spreads BY JUDY VAN RHIJN For Law Times H ard on the heels of legislation requiring mandatory reporting of data breaches for the private sector come recommen- dations for a similar overhaul of the public sector. The introduc- tion of an explicit requirement by the federal government to force companies to publicly ad- mit to breaches will enable swift responses from the class actions bar when they occur. "Generally, federal and pro- vincial legislation seem to be go- ing towards two things — man- datory reporting to the privacy commissioner and mandatory notification to individuals," says Patrick Hawkins of Borden Lad- ner Gervais LLP in Toronto. In relation to the private sec- tor, s. 10.1 of the federal Personal Information and Electronic Documents Act requires man- datory reporting of data breach- es that pose a substantial risk of harm to individuals. The new legislation was passed in 2015, underwent a consultation pe- riod in 2016 and is expected to come into force once regulations have been passed. The Ministry of Innovation, Science and Eco- nomic Development Canada advises that regulations will be published this year and will be subject to public consultation and a transition period. Ted Charney of Charney Lawyers of Toronto considers these legislative changes to be an "absolute necessity." "Just as a defective product requires mandatory reporting, by analogy, a privacy breach poses a risk to consumers, and the company is not in a position to assess the degree of risk be- cause of their self-interest," says Charney. He has observed that most privacy breaches go unreported. "To the extent that organiza- tions do not divulge, custom- ers do not become aware of the breach. If they suffer identity theft or fraud or some other pri- vacy breach, they don't know it's related to a particular organiza- tion," he says. The Office of the Privacy Commissioner of Canada has a voluntary data-breach reporting program, and some organiza- tions subject to PIPEDA partici- pate as a matter of best practice. "Probably every month there are six to 12 privacy breaches that go undetected and unre- ported," Charney estimates. "That's a figure I know because businesses that assist insurance companies and other organiza- tions get six to 12 new cases on a monthly basis, whereas the degree of reporting to the Pri- vacy Commission is one or two a month." One aspect of the changes to PIPEDA is that there is a threshold for the reporting re- quirement to kick in. Section 10.1 provides that organizations must determine if it is reason- able in the circumstances to believe that the breach creates a real risk of significant harm to an individual. They must con- sider the sensitivity of the per- sonal information involved and the probability that the personal information is being, or will be, misused. "We have to see how that gets interpreted by the Privacy Commissioner and the courts," says Hawkins. "Not every poten- tial breach gets triggered. It's a meaningful threshold." Jillian Swartz of Allen Mc- Donald Swartz LLP of Toronto points out that if a company has decided to notify its customers or clients about a breach, it has admitted that it's reasonable in the circumstances to believe that the breach creates reasonable risk. "That will be music to class action lawyers' ears," she says. "This will open up a whole new niche area in class actions." In fact, Charney has some concerns about it being left up to the organization to decide what constitutes "reasonable circum- stances," as is laid out in PIPEDA. "Reporting should be manda- tory for all breaches and then it's up to the privacy commissioner whether to notify the customers or not," he says. "If companies are not pre- pared to notify them voluntarily, the decision should be made by the commissioner." In relation to the public sec- tor, the House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled a report in Decem- ber 2016 entitled "Protecting the Privacy of Canadians: Review of the Privacy Act." It includes recommendations "to create an explicit require- ment for government institu- tions to report material breaches of personal information to the Office of the Privacy Commis- sioner of Canada in a timely manner" and "to notify affected individuals of material breaches of personal information, except in appropriate cases, provided that the notification does not compound the damage to the individuals." LT FOCUS Patrick Hawkins says he expects a surge in class action activity when class counsel and customers know that a data breach has occurred. This will open up a whole new niche area in class actions. Jillian Swartz © 2017 Thomson Reuters Canada Limited 00241ZX-85698-NK Start with Practical Law Canada – Corporate & Commercial Litigation Practical Law Canada – Corporate & Commercial Litigation offers you continuously maintained, up-to-date resources that contain the legal know-how that lawyers need to practise more efficiently, improve client service and never miss a step. Our expert lawyer-editors have significant practice experience and create and maintain uniquely practical resources so you don't have to, allowing you to save time with straightforward, up-to-date resources such as: • Class Actions: Overview Practice Note • Class Actions: Certification Criteria Practice Note • Class Actions: Costs and Fees Practice Note Sign up for a FREE TRIAL now at practicallaw.ca STARTING FROM SCRATCH IS GREAT UNLESS YOU'RE CONDUCTING A CLASS ACTION. Untitled-3 1 2017-03-22 10:23 AM