PIPEDA: New Liabilities for Landlords and Property Managers
As of November 1, 2018, landlords and property managers in Canada will have enhanced obligations to keep records and report data breaches under the Personal Information Protection and Electronic Documents Act (PIPEDA). If you experience a data breach – referred to in the regulation as a “breach of security safeguards”- you will be exposed to new liabilities, including:
The purpose of the regulation is to ensure that Canadians, including tenants, receive consistent information about data breaches that may pose a “significant harm” to them, and that notifications contain sufficient information to enable them to understand the significance and potential impact of the breach. The new definition of “significant harm” in s. 2 of PIPEDA is very broadly defined; for example, it includes “humiliation”, damage to “relationships”, and identity theft. To minimize risk, landlords should collect the minimum of personal information needed to properly assess creditworthiness; to pursue collections and enforcement of leases; and to confirm the identity of tenants and occupants in the building. Such information should be destroyed when its use is no longer relevant to Landlord’s operations.
Multi-res landlords are already required to have security protocols in place to prevent security breaches. Such protocols include storing documents in locked cabinets and protection of electronic documents by password and encryptions. A further important protocol now mandated by PIPEDA is to have an “Incident Response Plan” which is triggered when a breach occurs and the Plan should provide for employee training and proper disclosure of the breach to the affected party and the Privacy Commissioner. A further key component of any Incident Response Plan is to ensure that a “Privacy Breach File” is in place and maintained if or when a privacy breach occurs. The existence of such a file will be relevant in any legal proceedings alleging a failure by a landlord to report a breach and may be used to satisfy a court that the alleged breach in question, to the knowledge of the landlord, did not occur. Lastly, landlords should consider obtaining “Cyber-Insurance” to protect the organization from the potentially devastating consequences of privacy class actions or court proceedings based on alleged privacy breaches.
Another significant area of risk for Landlords and property managers is in relation to disclosures of personal information to third party suppliers and service providers. The landlord will generally be held liable as the “responsible” party for reporting purposes even where a third party is responsible for the breach. Contracts with suppliers should have clauses which require the contractor to notify the landlord of all potential breaches; clauses that require the contractor to cooperate with the landlord to investigate breaches; and, a contractual obligation to provide information so that landlords can meet their notification, record keeping and reporting obligations.
Finally, landlords and property managers should review their existing policies to prepare for this important change. Policies concerning reporting of breaches, risk assessments, record keeping, staff training, and third party disclosures should be updated to reflect these new requirements. If you require assistance updating your policies or interpreting your obligations under the regulation, please do not hesitate to contact us.
If you have questions regarding this Bulletin, you can contact Laura Glithero at firstname.lastname@example.org or by telephone at 519-672-9330
Laura Glithero is a partner with Cohen Highley LLP in London. Cohen Highley has offices in London, Kitchener, Chatham and Sarnia. Laura provides risk management and regulatory compliance advice to housing providers and property management companies. Laura can be reached at email@example.com or 519-672-9330 x 427.