The ABC's of reporting a privacy breach under Quebec's new Law 25

This article was originally published on Nov. 24 and has been updated on Dec. 14 to reflect information on when the Regulation will come into force.

Sept. 22, 2022 marked a pivotal moment for privacy law in Québec: it is the day on which the first set of requirements under Law 25, the Act to modernize legislative provisions respecting the protection of personal information (the "Act"), came into effect. Along with these requirements came the Regulation respecting confidentiality incidents (the "Regulation"), which aims to clarify organizations' record-keeping obligations under Law 25. The Regulation, which was tabled in June 2022, was adopted on Nov. 30, 2022, and will come into force on Dec. 29, 2022.[1]

With these new requirements in mind, the purpose of this article is two-fold: (1) to highlight the first set of changes brought about by Law 25 regarding the management of confidentiality incidents; and (2) to summarize the disclosure and record-keeping requirements under the Regulation.

Managing confidentiality incidents

What is a "confidentiality incident"?

Section 3.6 of the Act defines a "confidentiality incident" as an unauthorized access, use or communication of personal information, loss of personal information, or other breach in the protection of such information.

Mandatory breach reporting

If a confidentiality incident presents a "risk of serious injury," an organization will be required to take reasonable measures to reduce the risk of injury and to prevent new incidents of the same nature, which includes promptly notifying the Commission d'accès à l'information du Québec (the "CAI") and all affected individuals. Whether a particular incident presents a "risk of serious injury" depends on the sensitivity of the information, the anticipated consequences of its use, and the likelihood that the information will be used for injurious purposes. This concept bears resemblance to the notion of breach of "security safeguards" referenced in the Personal Information Protection and Electronic Documents Act ("PIPEDA"); however, PIPEDA places greater emphasis on the likelihood of harm rather than injury.

Disclosure and record-keeping requirements under the regulation

The Regulation sets out the requirements for individual notices and reports to the CAI and details what information organizations must keep track of in their incident register.

Notice to the CAI

When: According to the Regulation, if an entity holding personal information has grounds to believe that a confidentiality incident has occurred, it must "promptly" send a written notice to the CAI.

Content: The written notice must contain the following:

1. Name of the organization affected by the confidentiality incident, along with its Québec Company Registry number;
2. Contact information of a person within the organization who can answer questions regarding the incident;
3. Description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
4. Brief description of the circumstances of the incident and what caused it, if known;
5. Date or time period when the incident occurred (or an approximation, if unknown);
6. Date or time period during which the organization became aware of the incident;
7. Number of individuals affected by the incident and the number of individuals residing in Québec (or an approximation, if unknown);
8. Description of the elements that led to the conclusion that the individuals concerned suffer from a risk of serious injury;
9. Steps the organization has taken or intends to take to notify affected individuals of the breach;
10. Steps the organization has taken or intends to take after the incident occurred, including those aimed at reducing/mitigating the risk of injury and preventing the reoccurrence of similar incidents in the future; and
11. Indication that other privacy regulators have been informed of the incident, if applicable.

Notice to the individuals concerned

When: The Regulation also provides that an organization must "promptly" send a notice to all individuals whose personal information was the subject of a confidentiality incident. This notice is sent directly to the individual concerned, unless sending such a notice is likely to cause increased injury to the individual/undue hardship for the organization and/or if the organization does not have the individual's contact information. In such cases, the organization may notify affected individuals via public notice.

Content: Similar to the written notice to the CAI, the written notice to the individuals concerned must contain the following:

1. Description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
2. Brief description of the circumstances of the incident;
3. Date or time period when the incident occurred (or an approximation, if unknown);
4. Brief description of the steps the organization has taken or intends to take after the incident occurred in order to reduce the risks of injury;
5. Measures that the organization suggests the individual concerned take in order to reduce/mitigate the risk of injury; and
6. Contact information where the individual concerned may obtain more information about the incident.

Contents of the confidentiality incidents register

What: Law 25 mandates that organizations keep a register of confidentiality incidents, regardless of whether such incident requires notice to the CAI and/or to any individuals whose personal information was compromised. While the Regulation does not specify a format for the register, it must nonetheless be comprehensive, as organizations are required to send a copy of the register to the CAI upon request.

How long: Organizations are required to maintain records of confidentiality incidents for five years after the date or time period when the company first became aware of the incident.

Content: Much like the content of the notices described above, the register must have:

1. Description of the personal information covered by the incident or, if that information is not known, the reasons why it is impossible to provide such a description;
2. Brief description of the circumstances of the incident;
3. Date or time period when the incident occurred (or an approximation, if unknown);
4. Date or time period during which the organization became aware of the incident;
5. Number of individuals affected by the incident (or an approximation, if unknown);
6. Description of the elements that led to the conclusion that the individuals concerned suffer from a risk of serious injury;
7. If the incident presents a risk of serious injury, the transmission dates of the notices to the CAI and the individuals concerned as well as an indication of whether a public notice was required; and
8. Brief description of the steps the organization has taken or intends to take after the incident occurred in order to reduce the risks of injury.

Conclusion

Ensuring compliance with Québec's new Law 25 can be a complicated and lengthy process as it imposes a number of onerous obligations on organizations, both public and private. Our team of cyber security and data protection lawyers can assist you in reviewing your organizational structure for prevention, management and response to incidents, your security policies and incident response plan, contracts with service providers, and your cyber security training programs. In the event of a cyber attack, we can advise you on reporting obligations, insurance considerations, potential class-action liability and managing investigations.