Starting Nov. 1, 2018, Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA) will require organizations that suffer a data breach involving personal information to:
To help organizations better understand their obligations, the OPC recently published final guidance on the law.
The main component of PIPEDA relates to data breach reporting. When an organization suffers a breach of security safeguards involving personal information under its control and there’s
In its final guidance, the OPC clarified a number of concepts to help organizations better understand this requirement and what’s expected of them.
A breach of security safeguards is the “loss of unauthorized access to or disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards. Security safeguards include physical, organizational, and technological measures designed to protect against the loss, theft, and unauthorized access, disclosure, copying, use, or modification of personal information.
The obligation to report a hack rests with the organization that controls the personal information implicated in the breach itself.
Only breaches that create a real risk of significant harm need to be reported to the OPC. Significant harm may include bodily harm, humiliation, damage to reputations or relationships, loss of employment, financial loss, identity theft, etc.
The OPC provides a model form organizations should use to report a breach. Organizations must submit reports as soon as feasible and must specify the date of the breach, description of the breach, the nature of the information involved in the breach, and whether or not the breach was reported to the OPC and the affected individuals. Click here for more info.
Monday to Friday 8 AM - 5 PM
For claims emergencies outside our regular business hours, please call 1-800-267-3542
© Scrivens Insurance and Investment Solutions 2018