The document discusses PIPEDA, Canada's private sector privacy law, and the importance of having an Incident Response Plan (IRP) to respond to data breaches. It provides an overview of PIPEDA's 10 fair information principles and requirements regarding data breaches. It emphasizes that an IRP outlines the steps to detect, respond to, and reduce the risk of future incidents. It also stresses engaging legal counsel to maintain privilege and avoid liability when developing, implementing, and responding to breaches according to the IRP.
1. PIPEDA & The IRP
WHAT YOU NEED TO KNOW | WHAT YOU NEED TO DO
This presentation does not constitute legal advice, nor should it be construed as such. The opinions expressed herein are
solely mine, and they do not necessarily represent the views of Siskinds LLP, its partners, associates or affiliates.
2. Bio
Drew is an associate in Siskinds’ Technology, Privacy and Franchise Group. His practice focuses on
providing legal services to businesses involved in the manufacture and distribution of goods and
services via franchising, multi-level marketing, and technology transfer, development, distribution and
licensing. He advises clients on matters relating to cybersecurity, data protection, privacy and anti-
spam, including PIPEDA, Privacy Shield and GDPR compliance.
Practice Areas
Data protection | Cybersecurity | Privacy
Drew Johnson, Technology
and Cyber Security Group
3.
4. What is PIPEDA?
The Personal Information Protection and Electronic Documents Act
(PIPEDA) is the federal privacy law for private-sector organizations. It
sets out the ground rules for how businesses must handle personal
information in the course of their commercial activities.
5. What does PIPEDA apply to?
PIPEDA applies to the collection, use or disclosure of personal
information in the course of a commercial activity.
6. What does PIPEDA not apply to?
Organizations that do not engage in commercial, for-profit activities.
7. Geographic Scope
Unless the personal information crosses provincial or national borders,
PIPEDA does not apply to organizations that operate entirely within:
• Alberta
• British Columbia
• Quebec
8. What is personal information?
Personal information is data about an “identifiable individual”. It is
information that on its own or combined with other pieces of data,
can identify you as an individual.
9. What Does Personal Information
Include?
• Age
• Credit card numbers
• Race, national or ethnic origin
• DNA
• Social Insurance number or driver’s license
• Opinions, comments or view about you as an employee
10. What is generally not considered
personal information?
• Information that is not about an individual because the connection to
a person is too weak or far removed.
• Information about a business or organization.
• A person’s business contact information.
11. 10 Principles of PIPEDA
The 10 fair information principles that businesses must follow:
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure and Retention
Accuracy
Safeguards
Openness
Individual Access
Provide Recourse
12. 1. Accountability
• Appointment of individual as Chief Privacy Officer.
• Establishment of a “privacy team”.
• Development of policies and procedures for the collection and
protection of personal information.
13. 2. Identifying Purposes
• Purpose must be clearly identified.
• Collection must be confined to what is necessary to complete the
purpose.
• Inform of purpose at the time personal information is collected.
14. 3. Consent
• Express v. Implied Consent.
• Sensitivity of information.
• Must be obtained from customers/clients to the collection and use of
their personal information.
15. 4. Limiting Collection
• Need to consider carefully whether information that is being collected
is reasonably necessary for the purposes.
16. 5. Limiting Use, Disclosure and Retention
• If purposes change, new consent is required.
• If information will be disclosed to third parties, consent must be
obtained.
• Personal information should only be retained for so long as is
reasonably necessary to satisfy the purposes for which it was
collected.
17. 6. Accuracy
• Obligation to keep personal information up to date, complete and
accurate.
• Make corrections as necessary.
18. 7. Safeguards
• Develop and implement a security policy to protect personal
information.
• PIPEDA does not specify particular security safeguards that must be
used. Rather, the onus is on organizations to ensure that personal
information is adequately protected.
19. More on Safeguarding….
• Degree of security to be exercised will depend on a number of
factors:
• sensitivity
• amount
• extent of distribution
• format
• type of storage
20. 8. Openness
• Employees need to be aware of the policies and the procedures
regarding privacy matters.
• Customers/clients need to be informed of the existence of privacy
policies and what the practices are.
• Responsiveness to customers’ privacy related requests.
21. 9. Individual Access
• Individuals are entitled to review their personal information on
request.
• Corrections may be requested and should be made if appropriate.
• Response within 30 days of request.
22. 10. Challenge Compliance/Provide Recourse
• Development of complaint procedures.
• Should be straight forward and easily accessible.
• Responsiveness to complaints.
• Investigation.
• Corrective measures.
• Satisfaction of individual complainant.
23. Most Common Complaints
• Improper collection, use and/or disclosure of personal information.
• Difficulty obtaining access to personal information.
• Refusal to correct personal information.
• Inadequate safeguards.
24. Your Responsibility as a Business
• Comply with all 10 of the Principles.
• Protect personal information against loss or theft.
• Protect personal information regardless of the format in which it is
held.
• Safeguard the information from unauthorized access, disclosure,
copying, use or modification.
26. A breach of security safeguards is defined in
PIPEDA as:
• the loss of,
• unauthorized access to or
• unauthorized disclosure
of personal information resulting from a breach of an organization’s security
safeguards, or from a failure to establish those safeguards.
27. Duty to report to OPC - RROSH
Reasonable in the circumstances to believe that the breach of security
safeguards creates a real risk of significant harm to an individual.
28. Timing of Report to the OPC
As soon as feasible after determination that the breach has occurred.
29. Notification to Individual & Organizations
In a RROSH breach of security safeguards involving an individual’s
personal information, you must notify:
• The individual affected.
• Organizations that may be able to assist in mitigation.
31. Contents of Notification
The notification must contain sufficient information to allow the
individual to understand the significance to them of the breach and to
take steps, if any are possible, to reduce the risk of harm that could
result from it or to mitigate that harm
32. Form and Manner of Notice
The notification must be conspicuous and shall be given directly to the
individual in the prescribed form and manner.
33. Maintenance of Records
You must keep and maintain a record of every breach of security
safeguards involving personal information under your control.
34. Access by OPC
You must, on request, provide the Commissioner with access to, or a
copy of, a record.
35. Offences:
• Fail to comply with breach notification requirements.
• Fail to maintain a record of breaches of security safeguards.
• Destroy personal information that an individual has requested.
• Obstruct a complaint investigation or audit by the Commissioner or
their delegate.
36. Significant Harm
Significant harm includes:
• bodily harm,
• humiliation,
• damage to reputation or relationships,
• loss of employment,
• business or professional opportunities,
• financial loss,
• identity theft,
• negative effects on the credit record and
• damage to or loss of property.
37. Relevant Factors - RROSH
Factors that are relevant to determining whether a breach of security
safeguards creates a real risk of significant harm include:
• the sensitivity of the personal information and
• the probability the personal information has been/is/will be misused.
38. Sensitivity
PIPEDA does not define sensitivity.
Although some information (for example, medical records and income
records) is almost always considered to be sensitive, any information
can be sensitive, depending on the context.
39. Circumstances
• Certain information may on its face be clearly sensitive. Other
information may not be.
• The circumstances of the breach may make the information more or
less sensitive. The potential harms that could accrue to an individual
are also an important factor.
40. Probability of Misuse
Several questions you need to consider:
• What happened and how likely is it that someone would be harmed by the
breach?
• Who actually accessed or could have accessed the personal information?
• How long has the personal information been exposed?
• Is there evidence of malicious intent (e.g., theft, hacking)?
• Were a number of pieces of personal information breached?
• Is the breached information in the hands of an individual/entity that
represents a reputation risk to the individual(s) in and of itself?
• Was the information exposed to limited/known entities who have
committed to destroy and not disclose the data?
42. What is an Incident Response Plan?
The IRP is the keystone internal policy necessary to help an
organization detect and react to computer security incidents,
determine their scope and risk, respond appropriately to the incident,
communicate the results and risk to all stakeholders, and reduce the
likelihood of the incident from reoccurring.
43. What does an Incident Response Plan do?
An IRP address issues like cybercrime, data loss, and service outages
that threaten your network and work to reduce the response times
for addressing each of the goals listed above.
44. Why Does an Organization Need an IRP?
An IRP is necessary policy for all organizations who hold confidential
information (PD, organizational, or otherwise) to respond to a data
incident in a timely manner, reducing reputational damage and
potential liability.
45. Why Does an Organization Need an IRP?
During the course of a data breach, small mistakes can lead to significant
amplification of liability and reputational damage.
• The number of publicly disclosed data breaches rose by almost 50% in 2017
over 2016.*
• 61 percent of breach victims in 2017 were businesses with under 1,000
employees.*
• By responding quickly to and containing a data breach, companies average a
savings of over $1 million.*
Source:
1. Identity Theft Resource Centre 2017 Annual Data Breach Year-End Review
2. 2017 Verizon Data Breach Investigations Report
3. 2018 Cost of a Data Breach Study by Ponemon
46. What is Included in an IRP?
The plan should, in exhaustive detail, outline the steps for responding
to an incident and should be stored in electronic and paper format.
47. What is Included in an IRP?
An IRP will often include:
• A list of the members of the Incident Response Team (IRT);
• 24 hour contact information;
• Roles and responsibilities for the members of the IRT;
• A list of critical network and data recovery processes;
• A list of the tools, technologies, and resources that are available to assist the
response; and,
• A business continuity plan.
48. What is an Incident Response Team?
Your Incident Response Team (IRT) is the designated group of internal
and external individuals assigned to navigate the IRP when a data
incident is declared.
49. Who is on an Incident Response Team?
C-Suite Executives/Chief Privacy Officer
• declare an incident, thereby triggering the activation of the IRP.
IT Professionals/Computer Security Incident Response Team
• identify the source of the incident, contain the incident, and document the
response.
External Legal Counsel
• provide solicitor-client privilege over the response, coordinate law
enforcement, and advise on any disclosures to the public or to regulators.
External Consultants
• provide media relations, forensic audits, etc.
50. When Do We Call Our Lawyer?
By engaging external counsel prior to creating an IRP and immediately
upon identifying a data incident, a company can utilize solicitor client,
work-product, or litigation privilege as necessary to minimize these
disclosures.
51. When Do We Call Our Lawyer?
Pre-Incident
Any communication or document relating to a data security incident
has the potential of becoming part of the evidentiary record in future
litigation, increasing the chance of the organization being found liable.
52. When Do We Call Our Lawyer?
Pre-Incident
A company cannot argue that communications/documents are
protected by privilege by involving its counsel at a later date.
Audit and investigative reports should be addressed to and delivered to
counsel.
In developing the IRP, legal counsel should engage third party service
providers to maintain privilege.
53. When Do We Call Our Lawyer?
Pre-Incident
An organization’s cyber risk management activities may result in the
production of sensitive communications and documents, such as:
• threat risk assessments,
• legal compliance assessments, and
• data security incident investigation reports.
54. When Do We Call Our Lawyer?
During the Incident
The immediate aftermath of a data security incident is hectic and some
of the most damaging communications or documents can be created
due to the lack of information and time to reflect on the incident.
A strictly-enforced communication guideline is an important part of any
incident response plan.
55. When Do We Call Our Lawyer?
During the Incident
An organization’s ability to keep cybersecurity efforts privileged is
stronger where the organization has taken each of these steps:
• Follow counsel’s directions for action;
• Set clear rules regarding communication; and
• Hire and manage outside vendors through counsel.
56. When Do We Call Our Lawyer?
Post-Incident
Following a data security incident, there are various disclosure and
reporting obligations imposed on organizations.
Important role of legal counsel is to provide an organization with advice
on disclosure obligations and in drafting appropriate communications.
57. When Do We Call Our Lawyer?
Post-Incident
Failure to give timely notice of a data security incident may result in
serious adverse consequences, including statutory sanctions, liability
for breach of contract or breach of a duty to warn and loss of insurance
coverage.
58. How Often Should IRP Training Occur?
An IRP is useless unless all of the members the IRT understand it and
are able to implement it.
59. How Often Should IRP Training Occur?
Ongoing cyber-security training for the IRT and annual or semi-annual
tabletop exercises for issue identification and rectification by the IRT
are critical to the effective implementation of the IRP and reducing
liability.
60. How Often Should IRP Training Occur?
Beyond the IRT, all members of your staff are your front line against a
data security incident and should understand the importance of the IRP
and full cooperation with the IRT in identifying and rectifying a data
incident.
61. Can the IRP Stand on Its Own?
Privacy-by-design is not a buzzword.
An IRP needs to be bolstered by additional policies and procedures that assist the
organization in preventing the access, loss and corruption of confidential
information, including:
• Mobile Device Policy;
• Acceptable Use and Social Media Policy;
• Password Policy;
• Physical Security Policy;
• Security Infrastructure Policy;
• Data Protection Policy; and,
• Disaster Recovery/Business Continuity Plan
62. Contact Us
Peter Dillon,
Head of Technology and Cyber
Security Group
Email: peter.dillon@siskinds.com
Phone: 519-660-7818
Drew Johnson
Technology and Cyber Security Group
Email: andrew.Johnson@siskinds.com
Phone: 519-660-7848