On April 18, 2018, the Government of Canada published the final regulations relating to mandatory reporting of privacy breaches under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”). To date, most organizations under PIPEDA’s purview have not been subject to mandatory privacy breach notification requirements. While organizations in the United States are familiar with breach notification statutes, organizations both within and outside of Canada will need to pay careful attention to the new requirements imposed under PIPEDA and assess any changes that need to be made to ensure compliance when the final regulations go into effect on November 1, 2018.

 Application to Organizations

Within Canada, PIPEDA applies to:

  • All private sector organizations that collect, use, or disclose personal information in the course of their commercial activities (PIPEDA does not apply to organizations that operate entirely in Alberta, British Columbia, or Quebec);
  • Personal information about an employee of, or an applicant for employment with, the organization and the organization collects, uses, or discloses that personal information in connection with the operation of federal works, undertakings, and businesses; and
  • All personal information that flows across provincial or national borders in the course of commercial transactions involving organizations subject to PIPEDA or similar legislation.

Outside of Canada, PIPEDA applies to foreign organizations with a real and substantial link to Canada that collect, use, or disclose the personal information of Canadians in the course of their commercial activities.

Important Definitions

To understand the requirements imposed under PIPEDA, organizations will need to understand the terms of the statute that trigger notification. For those organizations familiar with breach notification statutes, PIPEDA’s definition of “breach” will look familiar. PIPEDA defines a “breach of security safeguards” as the “loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguard or from a failure to establish those safeguards.”

On the other hand, PIPEDA’s definition of “personal information” is extremely broad. “Personal information” is defined as any “information about an identifiable individual.” This definition of “personal information” encompasses any factual or subjective information, recorded or not, about an individual, including, but not limited to, name, age, ethnic origin, religion, Social Insurance Number, email address, health information, financial information, biometric information, employee files, credit reports, and education history.

Notification Requirements

An organization must notify individuals of any breach of the security of safeguards involving their personal information if it is reasonable to believe that the breach creates a “real risk of significant harm.” Concurrently, the organization must also report to the Privacy Commissioner of Canada.

Prior to notification, organizations will have the opportunity to engage in a risk of harm analysis to determine whether the circumstances of the breach actually pose a real risk of significant harm to individuals. If not, notification is not required. To assist organizations in this determination, PIPEDA defines “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.

PIPEDA will also require organizations to notify additional government institutions if the organization believes that the organization may be able to reduce or mitigate the risk of harm to the affected individuals by issuing the notification.

Timing of Notifications

Notification to impacted individuals and the Privacy Commissioner should occur as soon as feasible after the organization determines a breach has occurred.

 Content of Report to Commissioner

 The report to the Privacy Commissioner must be sent by any secure means of communications and contain the following:


·         Description of the circumstances of the breach and the cause, if known;

·         The day or the period during which the breach occurred, or the approximate period;

·         A description of the personal information subject to the breach, if known;

·         The number of individuals or approximate number of individuals affected;

·         A description of the steps taken by the organization to reduce or mitigate the risk of harm to affected individuals;

·         A description of the steps that the organization has taken or intends to take to notify affected individuals in accordance with PIPEDA; and

·         The name and contact information of a person who can answer the Commissioner’s questions on behalf of the organization.

Content of Notice to Individuals

 Notification to individuals must occur in person, by telephone, mail, email, or any other form of communication that a reasonable person would consider appropriate and include:


·         Description of the circumstances of the breach;

·         The day or the period during which the breach occurred, or the approximate period;

·         A description of the personal information subject to the breach, if known;

·         A description of the steps taken by the organization to reduce or mitigate the risk of harm from the breach;



·         A description of steps individuals can take to reduce the risk of harm that could result from the breach; and

·         Contact information that the individual can use to obtain further information about the breach.

Record Keeping Requirements

Most notably, PIPEDA will now require organizations to keep and maintain a record of every breach of security safeguards for twenty-four (24) months. What constitutes a record is subject to interpretation, however, the record must contain any information that enables the Privacy Commissioner to verify compliance with PIPEDA. On request, an organization must be prepared to provide the Privacy Commissioner with access to, or a copy of, a record.


Organizations should carefully review, revise, and implement new privacy policies and procedures prior to November 1, 2018 to ensure compliance with the mandatory breach notification and record-keeping requirements imposed by PIPEDA.



A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. Most notably, the proposed legislation would create a national standard for data security and breach notification and preempt all current state law on the matter. Continue Reading Proposed House Bill Would Set National Data Security Standards for Financial Services Industry

South Carolina has become the first state to enact a version of the Insurance Data Security Model Law, which was drafted by the National Association of Insurance Commissioners (NAIC) in 2017. Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 14, 2018. The Act will become effective on January 1, 2019.

South Carolina Insurance Director Raymond G. Farmer chaired the NAIC Cybersecurity Working Group that drafted the model law. The South Carolina Act appears to follow the Model Law closely, and bears similarities to cybersecurity laws and regulations enacted in other states and at the federal level – including the New York Department of Financial Services cybersecurity regulations, the new Alabama data breach law, and HIPAA/HITECH data security/breach notification requirements. Continue Reading South Carolina Enacts First Insurance Data Security Act

The fallout from the Yahoo data breaches continues to illustrate how cyberattacks thrust companies into the competing roles of crime victim, regulatory enforcement target and civil litigant.

Yahoo, which is now known as Altaba, recently became the first public company to be fined ($35 million) by the Securities and Exchange Commission for filing statements that failed to disclose known data breaches. This is on top of the $80 million federal securities class action settlement that Yahoo reached in March 2018—the first of its kind based on a cyberattack. Shareholder derivative actions remain pending in state courts, and consumer data breach class actions have survived initial motions to dismiss and remain consolidated in California for pre-trial proceedings. At the other end of the spectrum, a federal judge has balked at the U.S. Department of Justice’s (DOJ) request that a hacker-for-hire indicted in the Yahoo attacks be sentenced to eight years in prison for a digital crime spree that dates back to 2010. Continue Reading The Hacked & the Hacker-for-Hire: Lessons from the Yahoo Data Breaches (So Far)

The ACC Foundation will be hosting a second webcast on May 1, 2018 at 12:00 EDT to discuss the results of the Foundation’s State of Cybersecurity Report.  You can sign up for the webcast here.

The Report surveyed 600 in-house counsel from around the world on a range of cybersecurity issues including data breach response, information security standards, GDPR preparation, vendor management and cyberinsurance.  The Report provides valuable cybersecurity benchmarking in a range of industries and identifies hot button issues for in-house counsel with responsibility for managing their company’s cybersecurity programs to consider.

The second webcast will focus on how companies interact with law enforcement in the wake of a data breach, trends in the appointment of a DPO under the GDPR, respondents’ views on proposed breach legislation, and gaps in information security programs.

Ballard Spahr served as a sponsor for the Report (as it did in 2015 for the first Report).  Phil Yannella, co-chair of Ballard’s Privacy & Data Security Group, served on the Advisory Board for the Report and will participate in the webcast.

In March, we reported that the Oregon legislature was considering amending its data breach notification and information security laws. That legislation has now passed the Oregon legislature and been signed into law by Oregon’s governor.  A copy of the new law is available here. The most notable changes are as follows:

Continue Reading Oregon Amends Data Breach Notification and Information Security Laws

Alabama has officially joined the data breach notification party. Alabama Governor Kay Ivey signed Act No. 2018-396 into law on March 28, 2018. The law will take effect on June 1, 2018. Although it was last in the country to enact such a data security law, Alabama’s new law will immediately take its place among the most stringent in the nation.

The Alabama law generally can be categorized into four obligations:

  • All entities subject to the law (covered entities and third-party agents) must “implement and maintain reasonable security measures to protect sensitive personally identifying information against a breach of security.”
  • A “covered entity shall conduct a good faith and prompt investigation” into “a breach of security that has or may have occurred in relation to sensitive personally identifying information.”
  • A covered entity must notify each affected Alabama resident, and a third-party agent must notify the covered entity, of a “breach of security involving sensitive personally identifying information;”
  • A covered entity must notify the Alabama Attorney General and credit reporting agencies of a breach involving more than 1,000 Alabama residents.

Continue Reading Alabama Becomes 50th State to Enact Data Breach Notification Law

South Dakota (site of Ballard’s newest office) has become the 49th State to enact a data breach notification law.  South Dakota Governor Dennis Daugaard signed SB 62 into law on March 21, 2018.  The law will take effect on July 1, 2018.

As with similar measures pending in other state legislatures, SB 62 was introduced in the South Dakota Senate on January 9, 2018, in the wake of the disclosures relating to the Equifax breaches. The law generally mirrors those of many other states, but includes a few new wrinkles. Continue Reading South Dakota Enacts Data Breach Notification Law

Massachusetts Attorney General Maura Healey has unveiled a new, “easier and more efficient” way to notify her office of data breaches. The Massachusetts Attorney General’s Office has created an online portal and web form for submitting data breach notifications.  An email announcing the changes was transmitted this week to attorneys who have previously filed data breach notices on behalf of clients. The email requested our “assistance in passing the message along,” which we are hereby doing.

Attorney General Healey stated, “This new feature allows businesses to more efficiently report data breaches so we can take action and share information with the public.”  The Attorney General Office’s website will soon include a publicly accessible database of data breaches reported to the Office. Other states, including California and Maryland, have similar public databases.

Continue Reading Massachusetts Attorney General Launches Online Data Breach Reporting Portal

Add South Dakota (site of Ballard’s newest office) and North Carolina to the list of states considering new data security legislation. South Dakota is poised to become the 49th state to enact a data breach notification law, while North Carolina is considering a very significant expansion of its existing law.

Will South Dakota Become No. 49?

The South Dakota Senate passed SB 62 on January 25, 2018. The bill, which now heads to the South Dakota House of Representatives, generally would require an “information holder” to notify South Dakota residents of any “breach of system security” involving their “personal or protected information.” Subject to certain exceptions, notification to South Dakota residents must be made “not later than sixty days from the discovery or notification of the breach of system security.” The South Dakota Attorney General and “all consumer reporting agencies as defined in 15 U.S.C. § 1681a” also must be notified of breaches involving more than 250 South Dakota residents. Notification to South Dakota residents is not required “if following appropriate investigation and notice to the attorney general, the information holder reasonably determines that the breach will not likely result in harm to the affected person.” Continue Reading South Dakota and North Carolina Consider New Data Security Legislation