Privacy and Cybersecurity in Canada: Essential for Business

In Canada, cyberattacks are becoming more frequent, and they can result in serious business losses.

Almost all Canadian organizations reported cyberattacks in 2022, with 25 percent of organizations experiencing at least one attack daily, and most organizations experiencing between 11 and 30 attacks per month.

The average cost to remediate a data security breach is $5.64 million.

Proactively preparing for a data breach event is a good approach for businesses.

Maintain strong privacy and cybersecurity policies.

Businesses can reduce risk by maintaining strong privacy protocols.

They should''backup/disaster recovery.

Employees should be trained on all policies and procedures.

Develop an effective breach response plan.

Every business should have a breach response plan.

The Quebec Superior Court recently dismissed the first privacy breach class action lawsuit against the Investment Industry Regulatory Organization of Canada (IIROC) over the loss of personal information of thousands of Canadian investors due to a data breach.

The court reviewed IIROC's actions after the breach and found that it acted in good faith.

This decision emphasizes the importance of having a well-prepared and executed breach response plan that can''Protect the business from civil liability in the event of a cyberattack or other data security breach.

All employees, contract workers and relevant service providers should know how to identify, report and escalate an incident.

The plan should also include a response team that clearly understands their roles, contact numbers for each team member and back-up options for all team members in the event of their absence.

The response team may include staff from the privacy office, IT, key managers, legal (if applicable), as well as human resources representatives and external specialists in forensics, public relations, and insurance.

Regular'. 'Reviewing and testing the plan will help your business quickly identify weaknesses in its cybersecurity and strengthen defenses.

The response plan should be periodically reviewed and adjusted to reflect improvements in technology and changes in internal processes.

If a data breach occurs, Canadian companies should assess whether notification is required under applicable federal or provincial privacy laws.

The federal Personal Information Protection and Electronic Documents Act (PIPEDA) applies to companies doing business across Canada except in three provinces''Alberta, British Columbia and Quebec.

These provinces have their own privacy laws that are recognized as substantially compliant with PIPEDA.

PIPEDA also applies to federal agencies and businesses operating in these provinces, such as banking, railroads, and telecommunications.

PIPEDA and similar laws in the provinces of Alberta and Quebec have mandatory data breach notification requirements.

In addition, there are data security breach notification requirements in various provincial public sector privacy laws and health information privacy laws.

This article summarizes the requirements''by private sector notification only.

under PIPEDA, businesses must notify the Privacy Commissioner of Canada and affected individuals of a privacy breach that poses a 'real risk of significant harm' to affected individuals as soon as practicable.

The notification must contain sufficient information to enable the Commissioner to understand the significance of the breach and take action to reduce the risk of harm.

The Quebec provincial law on the Protection of Personal Information in the Private Sector and a similar Alberta law also require notification of a privacy breach.

In the event of a breach, it may be necessary to send notices to multiple jurisdictions with different''requirements.

When a cyberattack results in the loss of personal information or unauthorized access to or disclosure of such information, businesses should think about the following issues in order to comply with the notification requirements:

• Who is responsible for breach notification?
• Businesses that "control" or "store" personal information must notify the Privacy Commissioner of Canada, and the Privacy Commissioner of Alberta or Quebec, if the personal information of individuals residing in those provinces is affected by the breach.
• When a business transfers personal information to a third party for processing and a breach occurs with that information,''held by the processor, the underlying business remains the controlling party of the personal information and is therefore responsible for breach notification.
• In applying Quebec law, however, the notification requirements apply to any entity that has experienced a data breach regarding personal information that the entity 'holds,' and it is not yet clear whether Quebec regulators will make a similar distinction between the controlling party and its processors.
• In Canada, private sectors may be subject to off-system application of laws if there is a real and substantial connection to Canada.
• Data Breach Notification Requirements''would also apply to foreign organizations that collected personal information of Canadians and experienced a breach of that information.

What breaches should be reported?

According to PIPEDA and the Alberta Personal Information Protection Act, only breaches that pose a "real risk of significant harm" (RROSH) to an individual should be reported.

The new Quebec law has similar requirements.

In Alberta, after a business notifies the Alberta Privacy Commissioner of a breach, the Commissioner may require the business to notify individuals.

Factually, according to Canada's 2022 Breaches of Practice Report, 80 percent of businesses already''have notified the affected persons at the time of contacting the Commissioner.

Notices of the breach sent to affected persons must contain sufficient information for them to understand the significance of the breach and to take steps to mitigate damages.

Businesses may offer affected individuals credit monitoring services, identity theft protection services, and other information and resources to reduce the risk of harm.

What is the penalty for failure to report a breach?

In accordance with Quebec provincial legislation, a business that fails to notify the Privacy Commissioner or affected individuals of a data security breach can be fined up to $25 million or 4 percent of its annual global revenue''market, and up to $10 million or 2 percent of its annual worldwide revenue.

The federal government has introduced Bill C-27, the Digital Charter Implementation Act, 2022 (DCIA), to replace PIPEDA with stronger privacy and data protection laws.

DCIA would introduce new privacy rights for individuals and expand the powers of the Privacy Commissioner.

There will also be a new Personal Information and Data Protection Tribunal and the risk of significant administrative monetary fines or criminal penalties for privacy breaches or offenses.

The Bill is currently at the second reading stage in the House of Commons and''is subject to debate, amendment and further vetting before it can be passed into law.

If DCIA is enacted, failure to report violations to the Privacy Commissioner could result in maximum fines of $25 million or five percent of gross global revenue.

Affected individuals may have a private right of action if the Privacy Commissioner finds that a business has failed to implement appropriate security protocols.

It appears that privacy breaches are becoming increasingly common and carry organizational, legal, and reputational risks.

In general, privacy and cybersecurity should be a priority for businesses in''Canada.

An experienced team familiar with the laws and practices can effectively help reduce the risks and costs associated with cyber incidents.