Fri, Nov 9, 2018

Canada’s PIPEDA Breach Notification Guidance and Considerations

The breach notification rules of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are now in effect. Since draft guidance was released by the government a mere six weeks ago, many organizations are scrambling to ensure compliance.

To help your team in this process, we prepared some tips and best practices:

  • If your organization outsources any business function(s), determining who owns the data and who is responsible for reporting breaches can be challenging and time-consuming.
    • Consider engaging experienced legal counsel who may help review contracts with third parties to ensure they capture notification requirements and include clear definitions for “significant harm.”
  • PIPEDA defines a breach simply as a data loss or unauthorized access or disclosure of personal information that creates significant harm. Moreover, significant harm is defined at a high level.
    • With the greater potential for a data loss to become a reportable event, it is urgent that your organization implement and test your notification procedures as soon as possible.
  • Under the new rules, in the event of a data loss, your organization must notify affected individuals as well as Canada’s Privacy Commissioner. You must also keep records of breaches for two years.
    • This means that in addition to maintaining your own archival records, you must define these archival responsibilities with your third parties as well.

Watch Brian Lapidus, Managing Director and Global Breach Notification Leader in the Cyber Risk practice discuss how his global team helps to support clients surrounding various data privacy and security laws, including PIPEDA: 

Brian Lapidus

If your organization is unaccustomed to breach reporting, PIPEDA’s stringent breach notification rules will no doubt increase your compliance burden. You will need to pay much more careful attention to third party risk, data security and incident response plans.

Kroll’s Cyber Risk team has the resources to support your team in every stage of this process – from data mapping exercises, to third party risk management programs, to breach notification and identity monitoring services. We have helped organizations of all sizes with data losses of all sizes and complexity for nearly two decades.

Our global team of cyber experts stands ready to answer your questions and provide guidance to implement PIPEDA and meet its notification requirements. You can call our breach hotline at 877-300-6816 or email [email protected] for a 24x7 response.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.