Focus: Unclear rules around when to tell public about data breaches, lawyer says

Changes to Canada’s Personal Information Protection and Electronic Documents Act came into effect last summer and, with it, a requirement for companies to notify users when there’s been a data breach where the breach poses “a real risk of significant harm.”

But what exactly constitutes that risk? Molly Reynolds, a lawyer at Torys LLP, says the answer is unclear. The amendments define “significant harm” broadly to include anything from bodily harm to embarrassment and loss of opportunities. Whether there’s a “real risk” of such harm as a result of a breach is to be assessed on the basis of the sensitivity of the information lost, the probability of misuse, and other factors that are yet to be set out in the regulations.

Reynolds says she’s hoping the regulations will set out a high threshold for what constitutes a real risk of significant harm and offer guidance on how to quantify that risk. Without such guidance, the threshold could range from a possibility of risk of harm to probability and certainty, she says.

“What we want to see in the regulations is a confirmation that the assessment is to be done on the probability end of the spectrum or, at least, no factors that would lead the [Office of the Privacy Commissioner] to apply a lesser standard closer to a possibility of misuse when considering the threshold in practice,” says Reynolds.

A possibility of real risk of significant harm may be present where personal information was lost in the mail but a company doesn’t know what happened to it, Reynolds says, whereas a probability of harm could exist in situations where a company’s employee sent out information about individuals for unknown reasons but there’s some suspicion of malicious intent. And then there’s certainty, where personal information, and especially financial information, was stolen in a hacking attack.

To measure the risk in each case of a breach, and to evaluate on a case-by-case basis, can be difficult, Reynolds says, but there has to be consistency in the way companies assess privacy breaches and that they’re reporting the same kind of incidents as other industry participants.

Real risk of significant harm has to mean more than a mere possibility of harm, says Reynolds.
“Beyond the need for a clear standard that can be consistently applied by businesses and the OPC, a threshold on the higher probability end of the risk of harm spectrum would benefit individuals, businesses, and the regulator,” she says.

“Individuals could experience notification fatigue or not be adequately equipped to determine which breaches pose a significant risk,” she continues, adding consumers’ attention should be sought only when breaches pose a probability of significant harm.

A standard that’s too low would also be cumbersome to the OPC, which would be tasked with reviewing large volumes of reports where the risk of harm is not significant and delay the speedy review of significant breaches, Reynolds also notes.

Reynolds adds that a low threshold will also come at a great cost to Canadian businesses. In addition to significant time and money spent on reporting, notification, and remedial offers, they could also suffer reputational damage that could be “vastly disproportionate to the risk actually posed to the individuals affected by the breach,” she says.

But lawyer Ken Englehart, former vice president of regulatory affairs at Rogers, says how one defines “real risk of significant harm” may not ultimately matter.

“No matter how you define it, when there’s a $100,000 fine [for non-compliance], most companies are going to err on the side of notifying because they are not going to want to run the risk of not notifying,” he says.

Englehart says he doesn’t expect a huge impact on industries as a result of the changes to PIPEDA as “responsible” companies already report data breaches.

“I don’t expect a whole lot of clarity [in the regulations]. I think the mandatory breach notification isn’t even going to change that much because most companies who are responsible already notify their customers and the Office of the Privacy Commissioner when there is a significant breach,” he says. “I really think the legislation is codifying what responsible companies do anyway.

“So I guess the change that the bill will make is that with a borderline case where people weren’t sure they had to notify or not, they now will [because they don’t want to take a chance],” Englehart adds.

Reynolds says the need for clarification in the regulations stems from experience with regulators that enforce provincial privacy laws. In those cases, the threshold for notification applied in practice appears lower than what the words of the legislation alone would support, she says.

Alberta’s privacy laws have similar language around data breach reporting requirements and the trend so far is a low threshold for what constitutes a real risk of significant harm, Reynolds adds. That province has a two-pronged approach to reporting — companies would report a breach to the privacy commissioner, who then decides if the breach is significant enough to notify users, she explains.

“Almost universally,” the commissioner has found breaches were severe enough to notify users, Reynolds says. “Looking at the recent decisions almost indicates a threshold that is just a possibility.”

The amendments to PIPEDA also require organizations to retain a record of every breach of security safeguards, whether or not they are obligated to report, and provide the record to the OPC on request.