New Notification Requirements for Data Breaches
As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.
Further to an Order-in-Council published in late March, certain sections of the Digital Privacy Act will come into force on November 1, 2018. These sections require that if:
(a) there is any breach of an organization’s security safeguards involving personal information under its control, and
(b) it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual,
then the organization must notify both the individuals affected and the Privacy Commissioner of the breach. These notifications must be given as soon as feasible after the organization discovers the breach.
“Significant harm” is broadly defined – it includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. When determining whether there is a real risk of significant harm to an individual, the organization should consider the sensitivity of the personal information involved in the breach and the probability that it has been, is being or will be misused.
Regulations to the Digital Privacy Act, which we expect to be published next week, will set out the information that must be included in these notifications and the way that they must be provided. We will post an update on this blog with further details once these regulations are released. At the very least, the notification to the affected individuals must be conspicuous and given to them directly, and it must contain sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm.
Organizations will also be required to notify any other organization or governmental institutions that may be able to mitigate or reduce the risk of harm that could result from the breach.
Data breaches can happen in any organization, and they pose both a reputational and business risk. As of this November, there will also be specific legal consequences if you fail to notify affected individuals (and the Privacy Commissioner) of data breaches that pose a real risk of significant harm to individuals.