A Canadian law that goes into effect on November 1st will require companies to maintain a record of all breaches, regardless of whether they are reportable. We’ve previously written about the Canadian law that will impose a country-wide data breach notification requirement, and we explain the recordkeeping requirement (sometimes referred to as a “ledger” requirement) in more detail in this post. The idea of these types of requirements is to maintain a record of all security incidents that a company experiences – even those that do not meet the applicable risk threshold for legally mandated notification and reporting – so that a regulator can audit the entity’s compliance with the statute. Given that this type of requirement may be new to them, U.S.-based companies may want to begin implementing a process for maintaining regulator-friendly records of all security breaches affecting Canadian citizens’ data now.
As a refresher, beginning November 1st, companies with control over personal information of Canadian citizens will need to report to the Office of the Privacy Commissioner of Canada (“OPC”) about, and notify affected individuals of, a “breach of security safeguards” for which it is reasonable to believe that the breach creates a “real risk of significant harm.” A “breach of security safeguards” means the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish safeguards.
Canada’s Digital Privacy Act of 2015 requires organizations to “keep and maintain a record of every breach of security safeguards involving personal information under its control.” They must also provide the OPC with access to, or a copy of, those records upon request from the OPC. The accompanying regulations provide that an entity must retain a record of each breach of security safeguards for 24 months from the date it determines a breach has occurred. The regulations also provide that the record should “contain any information pertaining to the breach that enables the Commissioner to verify compliance” with the obligations to report to the OPC and notify affected individuals. Recent guidance issued by the OPC provides that the record should include, “at a minimum:”
- The date or estimated date of the breach;
- A general description of the circumstances of the breach;
- The nature of the information involved in the breach;
- Whether or not the breach was reported to the OPC;
- Whether affected individuals were notified; and
- If the breach was not reported to the OPC, a brief explanation of why the breach was determined not to pose a “real risk of significant harm.”
Given that these records must be provided to the OPC upon request, entities will need to take care not to include privileged materials in them, which is one reason it may be helpful to have a non-privileged central ledger to track incidents, in addition to any privileged materials like memos to file that the company may keep in connection with breaches.
While U.S. entities that are subject to the General Data Protection Regulation (GDPR) are likely familiar with the GDPR’s Art. 33(5) ledger requirements for any security breach, including those that are not required to be reported, they may not be used to maintaining these records in other contexts. For U.S. companies that have avoided having to comply with the GDPR but maintain personal information on Canadians, the concept may be entirely new. (Some U.S. laws do require entities to maintain records for set periods of time following a determination that notification is not necessary, but those records are not typically subject to auditing, which distinguishes the Canadian and EU regimes.) As a result, it may make sense to establish a process for maintaining a security breach ledger as soon as possible.
