With security breaches regularly affecting millions (or even billions) of people, effective security breach disclosure rules are an essential part of a modern privacy law framework. It may surprise many to learn that Canada still does not have mandatory security breach disclosure rules that require companies to notify affected individuals in effect. Rules were passed in 2015, but the accompanying regulations were puzzlingly slow to emerge. The government finally released proposed regulations late in the summer with a consultation that closed earlier this week. My submission, which focused on implementation, content of notices, and proposed “indirect” notification, is posted below.
Submission on Breach of Security Safeguards Regulations
Further to the notice in the Canada Gazette, below please find my comments on the consultation regarding regulations for the Breach of Security Safeguards Regulations. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. My areas of speciality include digital policy and privacy. This response is submitted in my personal capacity reflecting my own views.
The inclusion of an obligation to notify those affected by a breach of security safeguards regulations within Canadian privacy law is long overdue. The absence of rules requiring organizations to notify individuals when their personal information is lost or accessed through a data or security breach has been an ongoing concern in Canada for many years. Data breach notification is rapidly becoming an international norm in privacy protection, creating much-needed incentives for organizations to better protect the information they collect and retain, and allowing individuals to take action to avoid harms such as identity theft when their information has been placed at risk.
While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. The new regulations address some concerns, but there are several areas that could be improved.
The proposed regulations indicate that there will be a delayed coming into force after the publication of the regulations. It indicates that “this will give regulated organizations time to adjust their policies and procedures accordingly and to ensure that systems are in place to track and record all breaches of security safeguards that they experience.”
The need for mandatory breach disclosure rules has been readily apparent for many years. The development of these rules has undergone extensive consultation and Parliamentary review. With the steady stream of serious data breaches around the world – many of which have directly affected millions of Canadians – there will be few businesses that are unaware of the breach disclosure rules and their need to properly safeguard the personal information they collect, use and disclose. Indeed, many businesses may already engage in pro-active disclosure, recognizing that existing privacy law arguably includes such an obligation as part of the “Accountability” principle, or out of a need to comply with foreign laws such as the European Union’s General Data Protection Regulation. The Digital Privacy Act was enacted by Parliament more than two years ago. Canadians have waited long enough for mandatory disclosure rules that were commonly found in other jurisdictions years ago.
In my view, there is no need for any delay in implementing these regulations. If the government insists on a delay, it should be for no more than 30 days to allow for a short transition period.
Content of the Notices
The proposed regulations rightly cover many important aspects of the content of notices. Inclusion of information regarding steps to mitigate potential harms and how to file complaints with the Privacy Commissioner of Canada is important for many Canadians to fully understand their rights in the aftermath of a security breach.
However, there are some omissions. First, as in some U.S. states, the notice should also include an offer to provide appropriate identity theft prevention and mitigation services at no cost to the affected person for not less than 12 months. This is an increasingly common requirement and should also be included in the Canadian regulations.
Second, the Canadian regulations do not specify that there must be disclosure about the likely consequences of the breach or an assessment of harm. Fully understanding the risks associated with the breach is linked to its consequences and the failure to mandatorily include such information in the notice runs the risk of leaving Canadians unaware of the full potential impact of the breach. The inclusion of that information was recommended by the Privacy Commissioner of Canada. It should form part of the required content in an any notice.
Indirect Notification: Circumstances
The proposed regulations are unfortunately vague with respect to circumstances when indirect notification may be used. The regulations refers to the following:
(a) the giving of direct notification would cause further harm to the affected individual;
(b) the cost of giving of direct notification is prohibitive for the organization;
(c) the organization does not have contact information for the affected individual or the information that it has is out of date.
By comparison, many U.S. states establish clearer requirements for when indirect notification may be used. For example, California and many other states establish cost benchmarks and reference to the number of affected individuals:
Substitute notice is available by means prescribed in the statute if the person or business demonstrates that
- the cost of providing notice would exceed $250,000, or
- that the affected class of subject persons to be notified exceeds 500,000, or
- the person or business does not have sufficient contact information.
By failing to establish greater certainty on the number of affected individuals, the Canadian regulations run the risk of becoming excessively reliant on indirect notification, with fewer Canadians receiving direct notification that their information has been breached. This is particularly difficult to justify in contexts where the impacted service provider has ready access to an automated means of direct notification.
Indirect Notification: Manner
The proposed regulations importantly establish the standards for indirect notification (often called “substitute notification” in other jurisdictions). The proposed approach is less comprehensive than similar rules found elsewhere. The proposed Canadian rule allows for either a website posting for 90 days or an advertisement designed to reach affected individuals. By comparison, the California rules require all of the following:
(A) Email notice when the person or business has an email address for the subject persons.
(B) Conspicuous posting, for a minimum of 30 days, of the notice on the Internet Web site page of the person or business, if the person or business maintains one. […] conspicuous posting on the person’s or business’s Internet Web site means providing a link to the notice on the home page or first significant page after entering the Internet Web site that is in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the link.
(C) Notification to major statewide media.”
New York State features similar requirements that encompass all three options. The Canadian rules are less comprehensive than those found elsewhere, running the risk that Canadians may be left unaware that their personal information has been the subject of a security breach. Indirect notification, which must only be used in limited situations, should be crafted in a manner that best ensures that affected individuals will be informed of the breach. The current regulations fail to meet the standards found elsewhere and should be amended by requiring email notice where possible, prominent website disclosure, advertisement, and notification to major national and local media.
In addition, where indirect means are relied upon, the regulations must ensure these are supplemented by a readily accessible, secure and effective means by which potentially affected customers can confirm whether they have been affected or not. Recent failed attempts to provide such a mechanism have only worked to further undermine customer trust and to exacerbate the harm of initial breaches. For example, a major recent data breach experienced by Equifax reportedly affected over 100,000 Canadians, in addition to millions of U.S. residents. While a portal was established allowing U.S. residents to check if their data is within the affected dataset, this portal was insecure and imposed onerous obligations onto those who made use of it. Further, Canadian residents were excluded altogether.
I am supportive of the need for organizations to retain records related to the breach for a full two years. Such a requirement is essential to ensure that potential complaints, investigations, or lawsuits will not be hampered by missing or incomplete information.