Data Breach Reporting Policy
A. In the Event of a Breach:
- Assess whether there has been a breach of the organization’s security safeguards including the loss of, unauthorized access to, or unauthorized disclosure of personal information due to:
- the breach of its physical, organizational, or technological security safeguards; or
- the failure to establish security safeguards (a "Breach").
- Prioritize containment of the Breach.
- Comply with applicable jurisdiction's privacy authority (the "Authority") Data Breach Notification Requirements;
- Report to the appropriate governing body about any Breach that:
- involves personal information under the organization’s control; and
- the organization reasonably believes creates a real risk of significant harm to an individual
- Report to the appropriate governing body about any Breach that:
- Notify the Authority and affected individuals as soon as feasible after determining the Breach involves a real risk of significant harm to an individual.
- Determine whether to provide direct or indirect notice to affected individuals
- Identify any other organizations to notify about the Breach
- Keep all Breach records
B. Assess Risk of Significant Harm
- Understand that significant harm includes:
- humiliation;
- bodily harm;
- damage to reputation or relationships;
- loss of employment, business, or professional opportunities;
- financial loss;
- identity theft;
- negative credit record effects;
- property damage or loss.
- Consider these factors when determining whether a Breach creates a real risk of significant harm:
- the sensitivity of the applicable personal information;
- the probability of past, current, or future misuse of the personal information.
- To determine the personal information’s sensitivity, consider:
- the Breach’s circumstances;
- the personal information type;
- whether the personal information is overtly sensitive, for example, medical or financial information.
- To determine the probability of misuse, consider criteria including:
- the length of personal information exposure;
- whether there is evidence of malicious intent;
- whether the personal information has been recovered;
- whether the personal information is encrypted;
- who accessed or could have accessed the personal information.
C. Follow Form and Content Requirements When Reporting to the Authority:
- Ensure that the report is in writing.
- Understand that organizations can use their own form if it includes all required reporting content in its jurisdiction.
- At minimum, ensure that the notice contains:
- a description of the Breach’s circumstances and its cause, if known;
- the Breach date or time period of occurrence, or an approximation if neither is known;
- a description of the affected personal information;
- the number of affected individuals, if known, or an approximation;
- any steps the organization took to reduce or mitigate harm;
- any steps the organization took or intends to take to notify individuals; and
- contact information for a person that can answer questions about the Breach on the organization’s behalf.
- Supplement the initial notice with further information as it arises.
D. Follow Form and Content Requirements When Notifying Affected Individuals
- Ensure that the notice contains:
- a description of the Breach’s circumstances;
- the Breach date or time period of occurrence, or an approximation if neither is known;
- a description of the affected personal information;
- steps the organization took to reduce or mitigate harm;
- steps affected individuals can take to reduce or mitigate harm; and
- contact information affected individuals can use to obtain more information.
E. Determine the Best Way to Notify Affected Individuals
- Unless the organization must provide indirect notice, directly notify all affected individuals by:
- in-person contact;
- telephone;
- mail;
- email; or
- any other form of communication reasonably appropriate in the circumstances.
- Understand that affected individuals must receive indirect notice if:
- direct notice is likely to further harm them;
- direct notice is likely to cause undue hardship for the organization; or
- the organization does not have the affected individual’s contact information.
- If indirect notice is appropriate, organizations must provide it by public communication or a similar method that is likely to reach affected individuals, for example:
- public announcements in online or offline newspapers;
- prominent messaging on the organization’s website.
F. Determine Whether to Notify Additional Organizations
- Notify any other organization or government institution that can help mitigate or reduce the risk of harm, for example:
- law enforcement if the Breach involves a stolen device containing personal information;
- payment card processors if the Breach involves individuals’ credit card data; and
- Provide notice as soon as feasible after determining the existence of the Breach.
G. Maintain Appropriate Breach Records
- Keep a record of all Breaches, whether reportable or not, for two years after the day the organization determines the occurrence of the Breach.
- Ensure the records contain enough information for the governing body to verify the organization’s compliance with reporting and notice requirements, including at a minimum:
- the date or approximate date of the Breach;
- a general description of the Breach’s circumstances;
- the kind of information involved;
- whether affected individuals received notice of the Breach; and
- whether the organization reported the Breach to a governing body/Authority (as applicable in Canada or the EU).
- Understand that the records should describe the type of personal information affected but need not include personal details.
- Consider whether other legal requirements exist that require the organization to keep Breach records beyond two years.