Quebec introduces draft cyber-breach notification regulations
Breach notification and reporting obligations come into effect on September 22, 2022
As part of its significant overhaul of the Act respecting the protection of personal information in the private sector in Bill 64 (now also known as Law 25), the province has introduced mandatory reporting and notification related to data breaches. The provisions in section 3.5 of the Bill will come into effect on September 22, 2022. The provisions are similar to those found in the Personal Information Protection and Electronic Documents Act (Canada) and the Personal Information Protection Act (Alberta), but not surprisingly use different terminology.
Regulated businesses will be required to promptly notify the Commission d’accès à l’information (“CAI”), as well as to the affected individuals whenever such businesses experience a “confidentiality incident” that poses a “risk of serious injury” to an individual. This is similar to a “breach of security safeguards” that results in a “real risk of significant harm” under PIPEDA. Again, similar to PIPEDA, businesses will be required to keep a register of all confidentiality incidents in the manner prescribed by regulation, regardless of the risk of injury.
On June 29th, 2022, a draft regulation regarding confidentiality incidents was published in the Gazette officielle du Québec. The Draft Bill 64 Regulation provides businesses with details related to the content of the new notification and record-keeping requirements. Interestingly, the new regulation also applies to public sector organizations.
Reports to the regulator must include:
(1) the name of the body affected by the confidentiality incident and any Québec business number assigned to such body under the Act respecting the legal publicity of enterprises (chapter P-44.1);
(2) the name and contact information of the person to be contacted in that body with regard to the incident;
(3) a description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
(4) a brief description of the circumstances of the incident and what caused it, if known;
(5) the date or time period when the incident occurred or, if that is not known, the approximate time period;
(6) the date or time period when the body became aware of the incident;
(7) the number of persons concerned by the incident and the number of those who reside in Québec or, if that is not known, the approximate numbers;
(8) a description of the elements that led the body to conclude that there is a risk of serious injury to the persons concerned, such as the sensitivity of the personal information concerned, any possible ill-intentioned uses of such information, the anticipated consequences of its use and the likelihood that such information will be used for injurious purposes;
(9) the measures the body has taken or intends to take to notify the persons whose personal information is concerned by the incident, pursuant to the second paragraph of section 63.8 of the Act respecting Access to documents held by public bodies and the Protection of personal information or the second paragraph of section 3.5 of the Act respecting the protection of personal information in the private sector, and the date on which such persons were notified, or the expected time limit for the notification;
(10) the measures the body has taken or intends to take after the incident occurred, including those aimed at reducing the risk of injury or mitigating any such injury and those aimed at preventing new incidents of the same nature, and the date on which the measures were taken or the expected time limit for taking the measures; and
(11) if applicable, an indication that a person or body outside Québec that exercises similar functions to those of the Commission d’accès à l’information with respect to overseeing the protection of personal information has been notified of the incident.
Notably, and unlike PIPEDA and PIPA, the regulations create a requirement to keep the CAI updated as more information relevant to (1) through (11) becomes known.