On April 18, 2018, the Government of Canada published the final regulations relating to mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). To date, most organizations under PIPEDA’s purview have not been subject to mandatory privacy breach notification requirements. While organizations in the United States are familiar with breach notification statutes, organizations both within and outside of Canada will need to pay careful attention to the new requirements imposed under PIPEDA and assess any changes that need to be made to ensure compliance when the final regulations go into effect on November 1, 2018.

 Application to Organizations

Within Canada, PIPEDA applies to:

  • All private sector organizations that collect, use, or disclose personal information in the course of their commercial activities (PIPEDA does not apply to organizations that operate entirely in Alberta, British Columbia, or Quebec);
  • Personal information about an employee of, or an applicant for employment with, the organization and the organization collects, uses, or discloses that personal information in connection with the operation of federal works, undertakings, and businesses; and
  • All personal information that flows across provincial or national borders in the course of commercial transactions involving organizations subject to PIPEDA or similar legislation.

Outside of Canada, PIPEDA applies to foreign organizations with a real and substantial link to Canada that collect, use, or disclose the personal information of Canadians in the course of their commercial activities.

Important Definitions

To understand the requirements imposed under PIPEDA, organizations will need to understand the terms of the statute that trigger notification. For those organizations familiar with breach notification statutes, PIPEDA’s definition of “breach” will look familiar. PIPEDA defines a “breach of security safeguards” as the “loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguard or from a failure to establish those safeguards.”

On the other hand, PIPEDA’s definition of “personal information” is extremely broad. “Personal information” is defined as any “information about an identifiable individual.” This definition of “personal information” encompasses any factual or subjective information, recorded or not, about an individual, including, but not limited to, name, age, ethnic origin, religion, Social Insurance Number, email address, health information, financial information, biometric information, employee files, credit reports, and education history.

Notification Requirements

An organization must notify individuals of any breach of the security of safeguards involving their personal information if it is reasonable to believe that the breach creates a “real risk of significant harm.” Concurrently, the organization must also report to the Privacy Commissioner of Canada.

Prior to notification, organizations will have the opportunity to engage in a risk of harm analysis to determine whether the circumstances of the breach actually pose a real risk of significant harm to individuals. If not, notification is not required. To assist organizations in this determination, PIPEDA defines “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.

PIPEDA will also require organizations to notify additional government institutions if the organization believes that the organization may be able to reduce or mitigate the risk of harm to the affected individuals by issuing the notification.

Timing of Notifications

Notification to impacted individuals and the Privacy Commissioner should occur as soon as feasible after the organization determines a breach has occurred.

 Content of Report to Commissioner

 The report to the Privacy Commissioner must be sent by any secure means of communications and contain the following:


·         Description of the circumstances of the breach and the cause, if known;

·         The day or the period during which the breach occurred, or the approximate period;

·         A description of the personal information subject to the breach, if known;

·         The number of individuals or approximate number of individuals affected;

·         A description of the steps taken by the organization to reduce or mitigate the risk of harm to affected individuals;

·         A description of the steps that the organization has taken or intends to take to notify affected individuals in accordance with PIPEDA; and

·         The name and contact information of a person who can answer the Commissioner’s questions on behalf of the organization.

Content of Notice to Individuals

 Notification to individuals must occur in person, by telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate and include:


·         Description of the circumstances of the breach;

·         The day or the period during which the breach occurred, or the approximate period;

·         A description of the personal information subject to the breach, if known;

·         A description of the steps taken by the organization to reduce or mitigate the risk of harm from the breach;



·         A description of steps individuals can take to reduce the risk of harm that could result from the breach; and

·         Contact information that the individual can use to obtain further information about the breach.

Record Keeping Requirements

Most notably, PIPEDA will now require organizations to keep and maintain a record of every breach of security safeguards for twenty-four (24) months. What constitutes a record is subject to interpretation, however, the record must contain any information that enables the Privacy Commissioner to verify compliance with PIPEDA. On request, an organization must be prepared to provide the Privacy Commissioner with access to, or a copy of, a record.


Organizations should carefully review, revise, and implement new privacy policies and procedures prior to November 1, 2018 to ensure compliance with the mandatory breach notification and record-keeping requirements imposed by PIPEDA.



A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. Most notably, the proposed legislation would create a national standard for data security and breach notification and preempt all current state law on the matter. Continue Reading Proposed House Bill Would Set National Data Security Standards for Financial Services Industry

California is once again poised to set the standard for privacy and data security by enacting the first state law directed at securing Internet of Things (IoT) devices. The law has passed the state legislature and is awaiting the signature of Governor Jerry Brown. It requires manufacturers of “connected devices” to equip them with “a reasonable security feature or features” that are:

  • appropriate to the nature and function of the device;
  • appropriate to the information the device may collect, contain or transmit; and
  • designed to protect the device and any information contained in it from unauthorized access, destruction, use, modification, or disclosure.

Continue Reading California Poised to Enact Internet of Things Information Security Law

As discussed in our prior post, the California Consumer Privacy Act of 2018 (the “Act”) is expected to be modified by the California legislature prior to its January 1, 2020, enforcement deadline. In fact, while Governor Brown signed the legislation less than two months ago, one effort to amend the law already is underway through California Senate Bill 1121.

Continue Reading Update on California’s Consumer Privacy Act of 2018

Ballard Spahr’s Privacy and Data Security Group will again be hosting its Colorado Cybersecurity Summit on September 18, 2018, at Ballard Spahr’s Denver office and via webinar.

Highlights will include a discussion with the Colorado Deputy Attorney General who will be responsible for enforcing Colorado’s groundbreaking new cybersecurity law, as well as the former Director of Legislative Affairs who ushered the law through the state legislature. The Summit will also feature panel discussions on the current state of GDPR, how the new California Consumer Privacy Act will affect businesses, and innovative ways to mitigate risk in a world with quickly changing technology.

The Summit is co-sponsored by IMA Financial Group, Kivu Consulting, Noosa Yogurt, and Colorado = Security.

CO CLE and IAPP CPE credits are pending. Uniform Certificates of Attendance will also be made available for the purpose of seeking CLE credit in other jurisdictions.

For more information and to register please click here.


The online world is increasingly shaped by forces beyond our control.  Algorithmic processing agents are used by a wide range of web publishers, online retailers and social media companies to determine the kinds of stories that are feature to online readers, the advertisements that are targeted to online shoppers, and the search results they see, to name just a few of the ways in which these hidden programs predict the shape and content of our online experience.

US and EU privacy regulators have developed different models for managing the potential negative impacts of online profiling. In a recent article for the ABA Journal of Media, Information and Communications Law, Ballard Partner Phil Yannella examines these differing approaches.

Thank you to everyone who attended our webinar on the California Consumer Privacy Act of 2018.  For those who were unable to attend, you can listen to the recording here and obtain a copy of the slide deck here.  To access the recording, please fill in the requested information under “Register Now,” select “Yes, I will attend,” and click “Register.”

One of the most bedeviling aspects of data privacy and security law concerns the concept of “reasonable” data security, which has become the default statutory and common law standard.  The FTC began articulating a reasonableness standard in the early aughts, when the Commission first began scrutinizing companies’ data security practices.  Companies for years quietly grumbled about the vagueness of this standard, which isn’t defined in any regulations or federal statutes. Critics obtained a recent victory when the Eleventh Circuit, in LabMD v. FTC, struck down an FTC judgment on grounds that the relief sought by the FTC against LabMD– implementation of reasonable data security practices — was too vague to be enforceable. Continue Reading What Does “Reasonable” Data Security Mean, Exactly?

Just as many US businesses were scrambling to meet GDPR compliance, California quickly passed a broad new privacy act, giving businesses another privacy compliance headache. We’ve previously blogged on the dramatic history behind the eleventh-hour passage of the California Consumer Privacy Act (CCPA), so we won’t rehash that story here.  Instead, the focus of this post will be on the overlap between the CCPA and the GDPR.  Continue Reading Using the GDPR to Comply with the California Consumer Privacy Act