L E G A L
risk of significant harm to an individual. This test is objective.
While PIPA does not define “real risk” or “significant harm,”
the OIPC has provided some guidance.
Harm requires that some damage, detriment or injury
could be caused to affected individuals as a result of the
breach. The harm must also be significant, meaning that it
must be important, meaningful, and with non-trivial conse-quences
or effects. Accordingly, “significant harm” has been
defined by the OIPC as including bodily harm, embarrass-ment,
humiliation, damage to reputation or relationships,
loss of employment, business or professional opportunities,
financial loss, identity theft, fraud, negative effects on the
credit record and damage to or loss of property.
The likelihood that the significant harm will result must
be more than mere speculation or conjecture. There must
be a cause and effect relationship between the incident and
the possible harm. In determining whether there is a “real
risk” of significant harm, the organization must consider all
of the circumstances surrounding the breach, including, but
not limited to, the nature or sensitivity of the information
involved, how many persons the information was exposed
to, whether security measures were in place to prevent unau-thorized
access, if there is evidence of malicious intent or pur-pose,
if the information could be used for criminal purposes,
and how many individuals were affected by the breach.
Highly sensitive personal information (such as Social
Insurance Numbers and credit card numbers that include an
individuals name or address) combined with circumstances
where information was stolen for criminal purposes, where
NISKU | EDMONTON | CALGARY
www.carmacksent.com
Highway base
construction and paving
Highway maintenance
Municipal road and
concrete works
Bridge construction
and maintenance
Industrial contracting
services
Celebrating 45 Years
the recipients of the information could not be determined or
where electronic devices containing the personal informa-tion
had no security measures making access possible and
unknown, have led to a finding by the OIPC that a real risk
of significant harm exists as a result of a breach. On the other
hand, low sensitive personal information (such as names,
addresses, email addresses and phone numbers) combined
with circumstances where the recipients were known to the
organization or where the information was destroyed shortly
after the breach has resulted in a finding by the OPIC that no
real risk of significant harm exists as a result of the breach.
Finally, PIPA provide for fines of up to $10,000, in the case
of an individual, and $100,000, in the case of a person other
than an individual, if the organization fails to notify the OIPC
of a reportable beach.
This article provides a brief summary of the breach notifi-cation
rules under PIPA and should not be construed as legal
advice. Readers are encouraged to speak with legal counsel
to better understand how breach notification rules affect
their organization. n
Kelsey M. Yakimoski is an associate
with Fillmore Riley LLP who practises
primarily in the area of civil litigation.
You may reach her at (204) 957-8397
or kyakimoski@fillmoreriley.com.
ALBERTA HEAVY 1 2019 29
/www.carmacksent.com
link
