Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and South Dakota). Here is the latest:

  • Canada: On March 26, the Governor General in Council, on recommendation of the Minister of Industry, set November 1, 2018, as the effective date for the mandatory data breach notification obligations in the Digital Privacy Act 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). Beginning November 1, any organization must report to the Privacy Commissioner if it has a reasonable belief that a breach of information under its control creates a real risk of “significant harm” to Canadian residents, as well as notify affected individuals. The term “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. The notice to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach and to take any steps to mitigate or reduce the risk of any resulting harm.
  • Alabama: On May 1, 2018, the Alabama Data Breach Notification Act will take effect, requiring that companies provide notice of the unauthorized acquisition of electronic data containing sensitive personally identifiable information that is reasonably likely to cause substantial harm. The term “sensitive personally identifiable information” includes an Alabama resident’s first name or first initial and last name in combination with Social Security or tax identification number; driver’s license or other unique government-issued identification number; financial account number in combination with the required security code, access code, password, expiration date, or PIN; medical and health insurance information; or online account credentials. The Act sets a 45-day time limit for consumer and Attorney General (if more than 1,000 Alabama residents are affected) notice. The consumer notice must contain (1) the estimated date(s) of the breach; (2) a description of the affected information; (3) a general description of the remedial actions taken; (4) a general description of the steps consumers can take to protect themselves from identity theft; and (5) the company’s contact information. The Attorney General notice must contain (1) a synopsis of the event surrounding the breach at the time notice is provided; (2) the approximate number of affected Alabama residents; (3) any free services offered to affected individuals, and instructions on how to use those services; and (4) the name, address, telephone number, and email address of the company’s point person for the breach. A violation of the Act will constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act, subject to a civil penalty of up to $5,000 per day.
  • South Dakota: On March 21, South Dakota enacted S.B. 62. Effective July 1, 2018, the statute will require that companies provide notice of the unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal or protected information. The statute (1) contains expanded definitions of personal and protected information, which include health information, an employer-assigned ID number in combination with the required security code, access code, password, or biometric data, and online account credentials; and (2) sets a 60-day time limit for consumer notice, unless legitimate law enforcement needs require a longer timer period. Attorney General notice is required if the number of affected South Dakota residents exceeds 250. Violators are liable for a civil penalty of up to $10,000 per day per violation.
  • Oregon: On March 16, Oregon enacted amendments to its data breach notification law, which take effect June 2, 2018. The amendments clarify that personal information includes an Oregon resident’s first name or first initial and last name in combination with any information or combination of information that would permit access to her financial account, and require consumer and Attorney General (if the number of affected residents exceeds 250) notice within 45 days of discovery of a breach. Additionally, if a company provides free credit monitoring or identity theft prevention and mitigation services, it may not require that consumers provide a credit or debit card number (or any fee) to take advantage of those free services. Likely prompted by the Experian data breach, the amendments also prohibit consumer reporting agencies from charging a fee for a consumer to place or lift a security freeze. Previously, the statute capped such fees at $10.
  • Arizona: On April 5, the Arizona Governor received H.B. 2154, which if enacted, would (1) expand the definition of personal information to include a private key unique to an individual and used to authenticate or sign an electronic record, medical and health insurance information, passport and taxpayer identification number, unique biometric data, and online account credentials; and (2) require notification to affected consumers, as well as the Attorney General and the three largest credit reporting agencies if more than 1,000 Arizona residents are affected, within 45 days. Such notices would need to include the approximate date of the breach; a brief description of the affected personal information; the toll-free numbers for the three largest CRAs; and the toll-free number, address, and website address for the FTC. Importantly, these amendments would also create notice provisions specific to online account credentials and clarify that notice should not be made to the affected account, and should prompt the individual to (1) immediately change her password or security question and answer, and (2) take appropriate steps to protect the affected account and all other online accounts with the affected account credentials. If Arizona adopts these amendments, it will become the twelfth state to require notice in the event of a breach of online account credentials – joining California, Delaware, Florida, Illinois, Maryland, Nebraska, Nevada, Rhode Island, and Wyoming, and most recently, Alabama and South Dakota.

These developments demonstrate that data breach notification statutes are evolving, often in response to high-profile data breaches and/or concerns about a specific industry or a specific type of data – such as online account credentials. We expect U.S. states to continue to update these laws, and in particular, to (1) expand the definition of personal information to include medical and health insurance information, biometric data, and online account credentials; (2) require notice to consumers and/or regulators within a specific time period; (3) impose data security requirements; and (4) address concerns with specific industries, such as credit reporting agencies. Stay tuned for more updates!

Recently, Health Canada released guidance to help companies understand their reporting obligations under section 14 of the Canada Consumer Product Safety Act, which requires that sellers, distributors, importers, and manufacturers report after becoming aware of any health or safety incident involving a consumer product. Notably, the guidance clarifies (1) what constitutes a reportable “incident,” (2) at what point a company is “aware” of an incident, (3) when a company must report, (4) what information each report must include, and (5) how Health Canada will treat confidential business information and private information.

What Constitutes an “Incident”?

Section 14 of the Act defines an “incident” as an occurrence; defect; characteristic; or incorrect, inadequate, or an absence of information on a label or instructions that resulted or may reasonably have been expected to result in death or serious negative impacts on health. In addition, an “incident” occurs when the company undertakes a recall or other action, whether or not in Canada, based on concerns about human health or safety.

The guidance explains that a serious health impact includes harmful effects that bring about a temporary or permanent change to health, including, for example, external physical harm, poisoning, and loss of sight or hearing. Whether an injury is serious, however, will depend on other factors such as the age of the consumer and the part of the body that is harmed, and should be considered from the viewpoint of the consumer. Regardless, if a company decides not to report, it must be prepared to justify its decision if questioned by a Health Canada Product Safety Officer.

When Is a Company “Aware” of an Incident, and When and What Must It Report?

Under the Act, a company has an obligation to report as soon as it becomes “aware” of an incident, even if it does not have details on all aspects of the incident, as the obligation to report occurs as soon as the company has awareness that an incident could lead to a recall. As a result, Health Canada states that a company should not wait for further details or absolute certainty – i.e., a formal risk assessment – to report and, if it is not certain that an incident has occurred, should report on a precautionary basis.

Within two days of awareness, the company must provide all information about the incident to Health Canada and to the person from whom the company received the product – i.e., up the supply chain. The initial report must include:

  • All information about the product (name, model number, UPC, serial number),
  • A description of how the incident happened,
  • Details of injuries, such as the body part, age of the victim, and kind of treatment needed,
  • Details on where the product is sold,
  • The complete name and contact information of the manufacturer or importer, as it appears on the product label,
  • Information on any other known events related to the product,
  • Information on any other known incidents reported to Health Canada in the past, and
  • Information on products that share the same parts as those involved in the incident.

Furthermore, within 10 days of awareness, manufacturers must submit a written report with additional information about the product, including new details about the incident, the number of products distributed, the standards to which the product is certified, any test reports, the steps taken (or that will be taken) to ensure safety, and the proposed corrective action.

How Will Health Canada Handle Confidential Business Information and Personal Information?

Sections 16 and 17 of the Act allow Health Canada to disclose confidential business information to protect human health or safety or the environment, and with or without consent or notice to (1) a person or government that carries out functions relating to the protection of human health or safety or the environment, or (2) the public if the product poses a serious and imminent danger to human health or safety or the environment. Health Canada notes, however, that it is often possible to deal with health or safety concerns without disclosing confidential business information, and the agency will consider relevant factors when determining whether to make a disclosure in a particular case.

Regarding personal information, Health Canada explains that it does not routinely require personal information when it assesses incident reports and recommends that companies omit consumer personal information from them. The Canadian Privacy Act will govern Health Canada’s management – and disclosure – of personal information.