Technology and Information Governance
My company has suffered a data breach! Should I report it?
As of September 22, 2022, private businesses and public sector organizations will have to notify the Commission d'accès à l'information (the "CAI") and the affected individuals of any incident of confidentiality involving personal information, which presents a risk of serious harm. Failure to do so may result in significant administrative and penal sanctions. This new obligation is included in the Act to Modernize Legislative Provisions Respecting the Protection of Personal Information LQ 2021 c 25 (“Act 25”). Act 25 aims to strengthen the current legal framework for the protection of personal information in Quebec, which until now has not included any obligation to report an incident of confidentiality.
What is an "Incident of Confidentiality"?
According to Section 3.6 of Act 25, the term "incident of confidentiality" refers to any access, disclosure or use of personal information that is not authorized by law, as well as the loss of personal information or any other breach of privacy. This definition encompasses many scenarios, including phishing attempts, loss of personal information, ransomware attacks, unauthorized disclosure of personal information by an employee or former employee, or accidental posting of personal information online.
Reporting to the CAI
When a company has reason to believe that an incident of confidentiality has occurred, it must first take reasonable steps to reduce the risk of harm and prevent future incidents of similar nature. If the company determines that the incident poses a risk of serious harm, it must report it to the CAI without delay in accordance with Section 3.5(2) of Act 25. This requirement of mitigation also applies to any entity or third party that has custody or control of personal information.
In assessing the risk of harm to individuals whose personal information is involved in the incident, the organization shall consult with the individual responsible for privacy within the organization and consider the sensitivity of the information, the anticipated consequences of its use, and the likelihood that the information will be used for nefarious purposes.
Reporting to Individuals
Once a company has determined that reporting is necessary, it must notify any individual whose personal information is affected by the incident, or the CAI may order it to do so. The company may also notify any person or organization, such as a subcontractor or service provider, that may be able to reduce the risk of serious harm by disclosing only the personal information that is necessary for this purpose. In this case, the consent of the individuals involved is not necessary, however, any such disclosure must be in writing (S. 3.5(2) of Act 25).
Form and Content of the Notice
At this time, Act 25 does not set out specific requirements as to the form, content and manner of reporting, although these may be determined by regulation at a later date. In the event of an incident that poses a risk of serious harm, companies nevertheless would benefit from including the following information in their notice to individuals: (i) a description of the circumstances and the date or period when the incident occurred, (ii) the personal information affected by the incident, (iii) the steps the company has or intends on taking to reduce the risk of harm that may result from the incident, (iv) the steps that can be taken by affected individuals to reduce the risk of harm or to mitigate such harm, and (v) contact information so that individuals may obtain more information about the incident.
Creation of an Incident Register
Act 25 also requires companies to keep a record of any confidentiality incident, whether or not it represents a risk of serious harm. Upon request from the CAI, the company must send it a copy of this register (S. 3.8 of Act 25).
In order to comply with these new obligations and other provisions of Act 25, organizations must implement an information governance program without delay, including a governance plan, ongoing training for employees and business partners, and deployment of the appropriate technology. Our team can help you implement a comprehensive governance program within your organization and provide you with customized advice for assessing, monitoring and enforcing compliance.
***Please note that personal information processed by a Quebec company may also be subject to other legal regimes, including the Federal privacy act (Personal Information Protection And Electronic Documents Act S.C. 2000 C.5) where notification of incidents of confidentiality for incidents that pose a real risk of significant harm to individuals is already mandatory. ***