To date, when they have suffered a data breach, B.C.-based employers have generally had to concern only themselves with asset protection. Notification of customers or the regulator has not been required by legislation.
However, effective November 1, 2018, new mandatory breach-reporting requirements are coming into force under the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA is a federal statute, and B.C.’s privacy legislation does not currently require data breach reporting. However, PIPEDA applies to all interprovincial and international transactions by all organizations subject to the act and to federally regulated organizations in the course of their commercial activities.
So, even if you are provincially regulated B.C. employer, if you suffer a data breach in relation to your cross-provincial commercial activities, you may be required to report.
Reporting requirements
Effective November 1, organizations subject to PIPEDA will be required to notify the commissioner, affected individuals and potentially other organizations of data breaches where it is reasonable to believe that the breach creates a “real risk of significant harm to the individual.” This notice must be given “as soon as feasible” after it is determined the breach occurred.
Organizations might also be required to notify other organizations or government institutions if notice would reduce or mitigate the risk of harm to the individual.
“Significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on a credit record; and damage to or loss of property.
Record keeping
Organizations that suffer a data breach as defined in the legislation are required to maintain records of the breach for 24 months (even if the breach does not create a risk of significant harm) and provide the records to the commissioner on request.
What does this mean for B.C. employers?
These new requirements constitute a significant change to the regulatory landscape. Certification of class-action lawsuits (and the potential for significant damages awards) often increases when mandatory breach notification is required. Many companies will need to make significant changes to their existing privacy policies and practices.
How can employers protect themselves?
Data breaches are not only caused by a company being hacked. Employees are involved in a significant number of the breaches that occur. Innocent, careless or negligent actions by employees can have catastrophic results for companies and lead to reporting obligations.
In order to protect themselves and comply with the new legislation, employers should consider taking the following steps:
•B.C.-based companies should consider whether they are federally regulated or engage in commercial activities that might be governed by PIPEDA.
•Organizations subject to
PIPEDA should immediately start reviewing their existing privacy policies and procedures. These organizations will need to ensure they have a robust breach response plan in place before November 1.
•All organizations should consider creating a breach response plan as best practice.
•Employers will need to train employees on data breach risks and reporting obligations under the new legislative requirements.
•Employers should consider if “bring your own device” policies and other employee schemes can lead to increased vulnerability or risk to the company.
•Employers should review record-retention policies in light of the new requirements.
For many organizations, the question is not if but when they will suffer a data breach. It makes sense to ensure the company and its employees are prepared to deal with it. •
Keri L. Bennett is a partner at Roper Greyell LLP.
