Law Times

Page 8 May 14, 2018 • Law TiMes www.lawtimesnews.com Lawyers preparing for mandatory data-breach reporting BY MARG. BRUINEMAN For Law Times L awyers say they are ramp- ing up in anticipation of the rollout of new manda- tory data-breach report- ing rules going into effect in Canada. The focus initially was to pre- pare Canadian companies doing business in the European Union dealing with its residents' data in order to be compliant with the new requirements under that continent's General Data Pro- tection Regulation coming into force May 25. Companies are required to report a personal data breach within 72 hours of becoming aware of it. The GDPR requires that any data breaches that risk the rights and freedoms of EU residents' data be reported, whether or not the company is based in the EU. Canada had introduced simi- lar legislation through the Digi- tal Privacy Act in 2015. In March 2018, the federal cabinet issued an order-in- council indicating that Canadi- an mandatory data-breach dis- closure rules will go into effect in November, three years after being introduced through leg- islation. Chantal Bernier, who leads Dentons Canada LLP's pri- vacy and cybersecurity practice, says she has advised her clients that they could prepare for both sets of rules at the same time. "I said to my clients, 'Why don't we do two in one?'" says Bernier, who previously served as the interim privacy commis- sioner and assistant commis- sioner of the Office of the Pri- vacy Commissioner of Canada. "The words are different in each legislation, but in both cases, the test is the same." In Canada, the requirement to report is when there is risk of significant harm to an individu- al. In the event of a data security breach dealing with personal in- formation, Canadian organiza- tions governed by the Personal Information and Electronic Documents Act must notify those who are affected and they must report to the OPC. In order to prepare, organi- zations should develop a gover- nance process about who will make the decision on whether or not notification is necessary, says Bernier. They also need to determine the criteria specific to the work it does and the data it handles that would lead them to notify officials of a breach. Wendy Mee, a partner at Blake Cassels & Graydon LLP, who works in privacy and informa- tion governance, sees the rollout of the Canadian legislation as almost being a necessity for in- ternational trade. "I definitely think we need a federal data-breach reporting re- gime, if for nothing else but to im- prove the likelihood that we will continue to be adequate under the GDPR in Europe," says Mee. Under existing European law and under the GDPR, European companies can transfer data to organizations in Canada that are subject to PIPEDA because the Canadian legislation meets the EU's adequacy threshold. But that decision is up for review. Canada's new mandatory data-breach reporting rules, which have a similar objective to those launched in the EU, bridges what could have been a gap between the requirements in the two jurisdictions, says Mee. "It's a good thing for the Ca- nadian economy so we want to keep that. So I think having a mandatory breach-notification regime under PIPEDA will help if and when [the EU] review happens to make sure PIPEDA is still adequate," says Mee. Al- though the Canadian rules are a long time coming, preparing for their rollout later this year could be a lot of work. Some businesses may not have the infrastructure in place to accommodate all the require- ments, says David Elder, Stike- man Elliott LLP's chief privacy officer and chairman of its com- munications group in Ottawa. "They will have some work to do really in just creating clear roles about who handles what reporting channels and employ- ee awareness about what to f lag so it can be investigated and de- termined if there was a breach," he says. Another aspect of the new Canadian rules is causing some consternation. Companies are also required to keep a record of all breaches, no matter how small, says Elder. This is something Elder says is not typically required by other privacy laws in other ju- risdictions. The record-keeping requirement is to include any breaches that are not report- able. In this circumstance, data breaches are broadly defined so small, incidental acts could in- clude leaving a purchase order on a table where others can see it or even open discussion about a client's preferences, says Elder. He feels businesses could be challenged to make a call about imposing their own thresh- old on what they should and shouldn't record and then train the people on the frontlines who might cause these breaches. Mee also says companies and organizations need to keep a re- cord of every breach of security safeguards, regardless of the harm threshold, which will be very challenging for organizations. She says setting up the nec- essary system to accommodate the record-keeping requirement, including implementing policies and conducting training, can be onerous. The purpose is to have that information on hand to dem- onstrate compliance with the reporting obligations, she says, but there is potential for that in- formation to be used in future claims. "[Organizations covered by the record-keeping legislation are] going to have a record of all these breaches that have oc- curred, if there was ever a really big breach and [if ] there was liti- gation as a result of that. All of this stuff is discoverable," says Mee. LT Wendy Mee says companies and organizations should keep a record of every data breach they encounter. FOCUS FOCUS ON Cybersecurity & Mobile Technology Law Voting is open April 30-May 22 V i s i t WWW.CANADIANLAWYERMAG.COM/SURVEYS MOST *NkUENTIAL TOP 2 5 Untitled-5 1 2018-04-25 9:49 AM

• Cover