The COVID-19 pandemic has given rise to new cyber security challenges. The large-scale transition towards remote work makes data circulating within organizations more vulnerable than ever. What is more, the Canadian Centre for Cyber Security posted an alert in mid-March on the high risk of cyber threats to Canadian health and medical research organizations involved in the national response to the health crisis.
The current versions of the Act respecting the protection of personal information in the private sector(the "Private Sector Act") and the Act respecting access to documents held by public bodies and the protection of personal information (the "Access Act" and collectively with the Private Sector Act, the "Acts") set no legal obligations to report personal information leaks. Whether to report such incidents remains up to private enterprises and public bodies subject to these Acts. Québec law currently lags behind federal law, Alberta law and Europe's General Data Protection Regulation, all of which lay down reporting obligations with regard to confidentiality incidents. Bill 64 (the "Bill") proposes that new reporting obligations affecting the way private enterprises and public bodies prepare for and respond to confidentiality incidents be added to the Private Sector Act and the Access Act.
New reporting and documentation rules with respect to "confidentiality incidents"
Notion of "confidentiality incident"
First, the Bill proposes that each Act include the notion of "confidentiality incident" which it defines as follows:
- Access to or use or communication of personal information not authorized by law; or
- Loss of personal information or any other breach in the protection of such information.
Confidentiality incidents can take various forms: third-party intrusions into an organization's computer system, ransomware attacks, loss of data caused by a virus or computer flaw, extraction of data by an employee or unauthorized person, etc.
The Bill proposes that the Acts include an obligation to promptly notify the following persons and bodies if the confidentiality incident presents a risk of serious injury:
- The Commission d'accès à l'information (CAI);
- Any person whose personal information is concerned by the incident; and
- Anybody that could reduce the risk, by communicating to it only the personal information necessary for that purpose without the consent of the person concerned (optional).
The Bill does not provide a specific timeframe in which these parties must be notified, but specifies that it must be done "promptly".
If an enterprise fails to notify the persons whose personal information is concerned by the incident, the CAI may order it to do so. However, a person whose personal information is concerned by the incident need not be notified so long as doing so could hamper an investigation conducted by a person or body responsible by law for the prevention, detection or repression of crime or statutory offences.
The Bill also provides a framework for assessing whether there is a risk of significant harm for a person whose personal information is affected by a confidentiality incident. Elements to consider include the sensitivity of the information concerned, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes.
Obligation to keep a register of incidents
The Bill introduces an obligation for enterprises to keep a register of confidentiality incidents, which must be sent to the CAI upon request. While the register will most often be requested for due diligence reviews prior to establishing partnerships, other commercial transactions and even disputes involving information security, its existence means that confidentiality incidents will be able to lastingly tarnish an organization's image.
Penalties for non-compliance with the new rules
When a confidentiality incident occurs, the CAI may order any person to take any measure to protect the rights of the persons concerned, for the time and on the conditions the CAI determines.
In addition to the reputational damage caused by confidentiality incidents, administrative monetary penalties may be imposed on any person who does not report, when required to do so, a confidentiality incident to the CAI or to the persons concerned. The amount of the monetary administrative penalty would be discretionary up to a maximum of $50,000 in the case of a natural person and $10,000,000 (or, if greater, the amount corresponding to 2% of worldwide turnover for the preceding fiscal year) in all other cases under the Private Sector Act.
Penal provisions also apply. The Bill sets out, for the Private Sector Act, that anyone who fails to report, when required to do so, a confidentiality incident to the CAI or to the persons concerned commits an offence and is liable to a fine of $5,000 to $50,000 in the case of a natural person or, in all other cases, $15,000 to $25,000,000 (or, if greater, the amount corresponding to 4% of worldwide turnover for the preceding fiscal year).
How should organizations prepare for these new rules?
Measures required under the Acts and the Bill
The Acts already set out that private enterprises and public bodies must take the necessary security measures "to ensure the protection of the personal information collected, used, released, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored".
The Bill maintains these provisions and proposes the addition of provisions whereby a person operating a private enterprise or public body that "has cause to believe that a confidentiality incident involving personal information it holds has occurred must take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature".
These "fixed" security measures are thus enhanced by "reactive" measures to address confidentiality incidents and prevent them from happening again.
While the Bill does not yet specify the nature of these "reasonable measures", in practice, the following should be among the first steps taken by any organization that has reason to believe a confidentiality incident may have occurred:
- A thorough examination of the computer system(s) affected;
- Changing the passwords used to access the system(s);
- Improving existing security protocols; etc.
Though these first reflexes may be useful if a confidentiality incident occurs, we strongly recommend that organizations prepare far ahead of time. Fasken has extensive information security and confidentiality incident management expertise and can advise you on the various measures that can be taken to adequately prevent and respond to confidentiality incidents. These measures include:
• Incident prevention measures:
- Reviewing and improving computer systems and computer protection measures, including antivirus software and data backups;
- Intrusion tests to verify the reliability of computer system protection measures;
- Training staff on cyberattack risks, best practices for personal information protection and reporting of potential incidents;
- Data mapping;
- Implementing a compliance program with recognized international standards and obtaining certificates (for example, ISO/SEIC 27701);
- Implementing a data deletion policy for unnecessary or obsolete data;
- Implementing a policy to control employee access to data;
- Implementing a policy to limit data collection; and
- Implementing a policy for using technological tools;
• Incident management measures:
- Opting for cyber insurance coverage;
- Implementing a confidentiality incident response plan, including appointing a crisis unit and selecting IT and legal experts (breach coach);
- Conducting confidentiality incident simulations;
- Reviewing contracts with service providers to determine contractual obligations and undertakings with respect to incident reporting and information security.
Conclusion: Québec and others
If passed as tabled on June 12, Bill 64 would help align Québec legislation with Canadian and international laws. For a comparison of the rules proposed by the Bill with those already in force in Canada and Europe, please refer to the Comparative table of security incident reporting mechanisms. We also invite you to read the article L'obligation de notification en cas de violation de la confidentialité pour une entreprise du secteur privé(French only), which delves deeper into the obligation of notification in the event of a personal information breach.
BILL 64 RESOURCE CENTER - Visit our Bill 64 Resource Center for all the information you need to help you to cope with the changes that might be made to the legislation.
FASKEN INSTITUTE - Register now to our training that will shed light on the main changes and impacts to be expected in the management of your businesses.
DISTRIBUTION LIST - If you do not want to miss our next bulletins and any other relevant information on this subject, sign up now on our distribution list to receive all communications related to this new Bill.
 Act respecting the protection of personal information in the private sector, chapter P-39.1.
 Act respecting access to documents held by public bodies and the protection of personal information, chapter A-2.1.
 Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5.
 Personal Information Protection Act (Alberta), SA 2003, c P-6.5.
 Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
 Bill 64, An Act to modernize legislative provisions as regards the protection of personal information, 1st sess., 42nd legislature, Québec, June 12, 2020, (presentation) ("Bill").
 Bill, sections 14 and 95.
 Ibid., sections 44 and 144.
 Ibid., section 150.
 Ibid., section 151. Section 64 of the Bill sets out that, for the Access Act, the fine is $1,000 to $10,000 in the case of a natural person and $3,000 to $30,000 in all other cases.
 Private Sector Act, s. 10; Access Act, s. 63.1.
 Bill, sections 14 and 95.
 Antoine AYLWIN, "L'obligation de notification en cas de violation de la confidentialité pour une entreprise du secteur privé" in Revue du Barreau, volume 74, Barreau du Québec, 2015.