In June 2015, Canada made significant amendments to its data privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). These amendments to PIPEDA will require businesses to inform the Canadian Privacy Commissioner of certain data breaches, provide notice to affected individuals and maintain a log of any breaches of their cybersecurity safeguards. Regulations implementing the amendments are being developed and we expect, with a new government in place, to see something soon.
We have written in detail about a key provision of this new law in our article “Data Breach Logs: The New ‘Hot’ Document.” For U.S. businesses with Canadian contacts, one of the more troubling amendments to PIPEDA requires companies to maintain “a record of every breach of security safeguards involving personal information under its control.” While companies will be required to publicly report breaches that the company “reasonably believes” pose a “real risk of significant harm to the individual,” they will nonetheless need to record breaches that fall below that threshold. They will now need to create a breach log that could include information about a wide array of cybersecurity incidents and data breaches. And which companies remains unclear. Will it be just Canadian-based and multi-national companies with operations in Canada? Will it also apply to companies with Canadian customers or those that maintain Canadian consumer personal information? These are critical questions that remain unanswered.
For companies subject to this requirement, this raises huge risks. Maintaining a comprehensive breach log that will be readily available to regulators and class action plaintiffs seeking to sue a company over a data breach is akin to handing over one’s wallet. A summary of the company’s breach history is a litigation tool with lots of potential for mischief. Class action plaintiffs will be able to use the breach log to call into question the company’s cybersecurity measures and, if there is more than one breach on the report, to argue that the company has not learned from its earlier mistakes and therefore must be punished more severely. Regulators can also draw conclusions from these reports that may or may not be warranted. In all cases, these reports risk simplifying a more complex and nuanced reality regarding a company’s vulnerabilities and defenses. Nor will companies be able to distance themselves from these reports – which are unlikely to be privileged or protectable under current law – as the companies themselves will have prepared them.
From a purely logistical point of view, given the sheer number of cybersecurity events that companies suffer, these reports may also be time-consuming to prepare. There will surely be uncertainty as to whether a particular event needs to be logged and in what level of detail.
The law as drafted, requiring a log entry for “every breach of security safeguards involving personal information under [the company’s] control,” is potentially very broad in its application. It is possible, however, that the forthcoming regulations may narrow the law’s application in the following ways:
from all breaches to breaches that led to exfiltration of data or exfiltration of unencrypted data;
from all of a company’s breaches worldwide to only those that occur on servers or other hardware located in Canada; or
from breaches of any personal information to breaches that directly impact Canadian residents’ personal information.
The Canadian government is currently soliciting comments on various provisions of PIPEDA, including these record-keeping provisions. We are interested in hearing from our readers so that their comments and concerns may influence the drafting of the upcoming regulations. The Canadian government will be accepting comments until May 31.