On November 1, Canada provided the U.S. with another model for a national breach law: the Personal Information Protection and Electronic Documents Act (“PIPEDA”). Under that law, companies are required to notify Canada’s Privacy Commissioner and affected individuals as soon as feasible if they experience “any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” Harm is not confined to financial injury, and includes humiliation and damage to reputation.
Where notice is given to individuals, companies are also required to notify other organizations or government institutions that might be able to reduce the risk of harm resulting from the breach, such as law enforcement or credit card processors. Companies are also required to maintain a record of every breach involving personal information, regardless of the risk of harm posed. Failure to comply can result in fines of up to $100,000. On October 29, the Office of the Privacy Commissioner of Canada released final guidance regarding how businesses may satisfy their reporting and record-keeping obligations, which includes a list of factors to consider in assessing whether a real risk of significant harm has occurred, including:
- The sensitivity of the personal information involved (e.g., medical records);
- Evidence of malicious intent (e.g., theft or hacking);
- The likelihood that the individual who obtained the information will misuse it; and
- Adequate encryption or anonymization of the personal information.
Canada’s PIPEDA comes into force less than six months after GDPR, continuing a trend toward national or multinational data security frameworks outside the U.S. Although Canada’s “as soon as feasible” notification deadline is likely less onerous than GDPR’s 72-hour notification requirement, there are many similarities between PIPEDA and GDPR: both (i) have broader definitions of personal data than current U.S. data breach laws; (ii) require mandatory data breach reporting only where there is a risk of harm (which is not required under many U.S. state laws); and (iii) require companies to keep a record of all data breaches involving personal information. In some circumstances, PIPEDA, like GDPR, may end up being applied extraterritorially to foreign organizations that have been breached, where harm has resulted to local citizens.
By contrast, breach notification in the United States is governed by a patchwork of 50 different generally-applicable state laws, in addition to various federal and industry-specific breach notification regulations, like the NYDFS Cybersecurity Regulation and HIPAA. Some recent legislative proposals from Congress have included federal breach notification with preemption of state laws (such as the Data Acquisition and Technology Accountability and Security Act introduced in the House in February 2018), but none of those proposals seem likely to pass, at least in the foreseeable future.
Rather than using federal preemption, the Canadian law seeks harmonization. The Regulatory Impact Analysis Statement states that the federal government “may” exempt companies within provinces that have passed “substantially similar” legislation to PIPEDA. The Canadian government has deemed Alberta’s Personal Information Privacy Act, which includes breach notification provisions, substantially similar to PIPEDA.
For now, Canada’s PIPEDA is one more breach notification obligation for U.S. companies to worry about, but hopefully it will serve as another reason for U.S. lawmakers to seriously consider a single national breach notification law.
The Davis Polk Cyber Portal is now available to assist our clients in their efforts to maintain compliance with their data breach notification obligations, as well as other cybersecurity regulatory obligations. If you have questions about the Portal, please contact firstname.lastname@example.org.