In the wake of security breaches reported at LinkedIn and
eHarmony, now may be a good time for businesses to re-acquaint
themselves with the applicable statutory framework for the
protection of personal information in Canada as well as implement
or update policies and procedures around breach detection and
Reports of Recent Security Breaches
On Wednesday, June 6, 2012, both LinkedIn, a social networking
site with 160 million users, and eHarmony, an online dating site
with 20 million users, reported significant security breaches. The
result of these breaches was that user passwords, over 6 million
from LinkedIn and 1.5 million from eHarmony, were reportedly posted
in online forums.
Statutory Breach Notification Requirements
Alberta's Personal Information Protection Act
(PIPA) was the first piece of Canadian legislation to require
mandatory security breach notification in the private (non-health)
sector. Under PIPA, businesses are required to notify the Alberta
Privacy Commissioner whenever there exists a real risk of
significant harm to an individual as a result of a breach.
Similarly, under proposed amendments to the Federal Personal Information Protection and Electronic
Data Act (PIPEDA), businesses would have to notify the
federal Privacy Commissioner in the event of any material breach.
This requirement appears more broadly worded than PIPA's
notification requirement. Businesses, under the proposed
amendments, will also be required to directly notify individuals
for whom it is likely that breach creates a real risk of
significant harm. By contrast, under PIPA, the Alberta Privacy
Commissioner determines whether notification to individuals is
required under the Act.
Guidelines for Protecting Personal Information
As legislative amendments are undertaken to address privacy
issues, businesses will encounter increased compliance
requirements. Here are some guidelines that may assist businesses
in protecting data containing personal information and limit
Develop a breach protocol that is amended periodically to
account for improvements in technology.
Incorporate a notification procedure in the breach protocol in
order to report breaches to the applicable Privacy Commissioner.
Even in jurisdictions where such notification is not strictly
required by law, it may be advisable to notify the Privacy
Commissioner (or affected individuals) of data breaches where such
notification to Privacy Commissioners or individuals would help
mitigate the harm arising from the breach.
Ensure that all contracts with third parties include provisions
that require the third party contractor to immediately inform the
organization of any breach or suspected breach. Inform third
parties of the breach protocol once it is developed.
Ensure that record retention and destruction policies comply
with existing privacy law requirements. To ensure compliance,
destroy or 'anonymize' all personal information once it is
no longer needed or legally required to be retained.
Undertake employee training initiatives to ensure familiarity
and compliance with all policies and practices.
For businesses that are looking to develop policies and
procedures the following guidelines may be of assistance:
Build a security program that protects the confidentiality,
integrity, and availability of all information, not just personal
Develop classification standards so that personal information
can be easily identified.
Ensure that proper security controls are in place and conduct
risk assessments of all personal information.
A discussion on a recent decision of the Alberta Office of the Information and Privacy Commissioner in which an adjudicator emphasizes the narrow scope of personal information that can be considered reasonable to collect, use, and disclose for the purpose of providing background checks.
Canada’s Federal Privacy Commissioner Jennifer Stoddart today released a position paper which offers a roadmap for modernizing Canada’s federal private-sector privacy law, Personal Information Protection and Electronic Documents Act (PIPEDA), so that it more effectively tackles current and future privacy issues.