(Photo: Sigmund for Unsplash)
Text by Antoine Guillemin, Juris Doctor, Co-Head of the Cybersecurity and Data Protection Group, Gowling WLG
MAIL FROM READERS. September 22, 2022 will be the before and after for the businesses and people of Quebec. Previously, companies were not required to report a personal information security incident to the public. From now on, companies must notify the Access to Information Commission and interested parties of any privacy incident that poses a serious risk of harm. This is undoubtedly a big change that also hides big nuances…
Read (re)read: Cyber Security: Law 25 Compliance Guide
Similar to the federal and Alberta models, Bill 25, the Personal Information Protection Modernization Act, was passed, in part, to provide a framework for the handling of privacy incidents by businesses and governments. In addition, this resolution is so remarkable, not to say egregious in the light of recent events, that this new regime regarding the reporting (or notification) of privacy incidents should have come into force as soon as possible, or in September 2022, as opposed to other applicable provisions. in 2023 or even 2024.
From now on, companies will no longer be able to ignore privacy incidents in Quebec. However, this statement does not mean that all incidents should be reported, in other words, never or always. Yes, but then where to put the cursor? Does “never” threaten to prevail over “always”? Nothing beats a good rule of three to find your way.
What is a privacy incident?
Let’s start with rule #1: Not all security incidents are privacy incidents. More precisely, if all privacy incidents fall into the broad category of security incidents, two additional components are needed to speak of a privacy incident, which can thus be the subject of a report required by law.
On the one hand, the incident must concern personal information, i.e. any information relating to an individual and allowing him to be identified. If an incident targets other types of information, such as trade secrets or data about a group of people (i.e., non-individualized), that may also be equally sensitive or sensitive, it would certainly be a security incident, but not a privacy incident. within the meaning of the law.
On the other hand, the incident must be accompanied by loss, attack or access, use, unauthorized transfer of personal information. This is an observation that may seem obvious, but is not so simple. For example, a company that is the victim of ransomware that takes its customer database hostage necessarily implies that there has been a security breach — hence a security incident — without compromising personal information. by a hacker – so it’s not a privacy incident without more evidence.
Risk of serious harm, what’s the difference?
Continuing with Rule #2: Not all privacy incidents pose a risk of serious harm. It is easy to understand that losing your single last name on an online sales site would not be as serious as unauthorized access to all of your medical records held by your doctor; reporting will not be required in the first case, but is likely to be required in the second. Therefore, there should always be a “risk of serious harm” assessment process to determine whether the incident in question should be notified to the Access to Information Commission and relevant individuals.
Now comes the question that burns our lips: where can we find a precise definition or exhaustive examples of this famous “risk of serious harm”? Not an easy answer, it would be too simple, enough important factors to consider, namely: the confidentiality of the information in question (by its nature, for example, biometric data, or by the context of use, a children’s site), the intended consequences of their use (in particular, the possibility of fraud or identity theft) or the likelihood that information will be used for malicious purposes (for example, available on the Dark Web). In practice, this assessment process involves many stakeholders, including IT professionals and lawyers, and can take weeks or even months to complete.
Content of the report, how do we do it?
Let’s end with rule #3: All notifications of privacy incidents must contain mandatory information. When it is determined that there has indeed been a privacy incident that poses a serious risk of harm, it is time to carefully report it to the Access to Information Commission and stakeholders. It is not enough then to do in a veiled lid of the kind: We are the victims of a privacy incident. Everything will be fine. Trust us.” From a reporting standpoint, that would do little.
Therefore, the government recently proposed a draft regulation aimed at better informing citizens about the circumstances surrounding the incident, as well as the steps they are advised to take, if necessary, to ensure increased protection of their personal information. In particular, the written notice must contain, inter alia, the following information: a description of the personal information relating to the incident, or, if this information is not known, the reason justifying the impossibility of providing such a description; description of the circumstances of the incident; measures taken by the organization to reduce the risk of harm; measures that the data subject can take to reduce / mitigate the risk of harm to him; or information about a person who can be contacted within the organization about the incident.
Inform more, inform better: therefore the whole purpose of the new Quebec regime is to report privacy incidents. It is enough to quote the figures of criminal sanctions in case of non-compliance ($25,000,000 or 4% of world turnover) to convince the last reluctant one. In a good relationship…