Mortgage Broker is the magazine of the Canadian Mortgage Brokers Association and showcases the multi-billion dollar mortgage-broking industry to all levels of government, associated organizations and other interested individuals.
Issue link: http://digital.canadawide.com/i/708399
CMB MAGAZINE cmba-achc.ca summer 2016 | 25 pipedaamended Amendments A mortgage broker who is subject to PIPEDA would be required to report any breach of security safeguards that pose a real risk of significant harm to affected individuals. Significant harm includes (but is not limited to) bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; and identity the. Determining if the risk of significant harm is "real" requires consideration of the sensitivity of the information involved and the probability that the information was or will be misused. Further factors may be provided in the regulations. If a breach has occurred and there is a real risk of significant harm, the mortgage broker must report the breach to the federal Privacy Commissioner's office. e report must be made as soon as feasible. e form and required content of the report is being worked on and likely will be part of the regulations. As well, if a breach has occurred, the mortgage broker is required to notify affected individuals. e notification is to contain sufficient information that informs the individual as to the risks created by the breach and the steps available to reduce or remove the risk of harm. e form and required content of this notification is being worked on and will likely be part of the regulations. Further, the mortgage broker would be required to notify third parties of a potentially harmful data breach if the mortgage broker believes notifying the third party (for example, credit bureaus, credit-card-issuing banks, and law-enforcement agencies) may reduce or remove the risk of harm. e amendment gives the government the right to require that the mortgage broker give this third-party notice in specific circumstances. A mortgage broker must maintain a record of security safeguard breaches involving personal information under his or her control, even in situations where the conclusion was that the breach did not create a real risk of significant harm. e Commissioner is entitled to require that the record of breaches be produced and may publish information from the record if doing so would be in the public interest. Are you Subject to PIPEDA? When brokering within one's province of origin – with the exception of Alberta, British Columbia and Quebec – PIPEDA applies. Mortgage brokers in those provinces are subject to the privacy legislation of their respective province. It is important to note that Alberta and British Columbia have breach- notification requirements and protocols very similar to those now to be required under PIPEDA. When involved in inter-provincial and international transactions for commercial activities, all parts of Canada – including Alberta, British Columbia and Quebec – must comply with PIPEDA. All mortgage brokers engaged in such transactions would be subject to PIPEDA to the extent of those transactions. Penalties A mortgage broker who is subject to PIPEDA and knowingly fails to report a covered breach to the Privacy Commissioner's office, notify affected individuals of a covered breach, or maintain a record of all breaches, could face fines of up to $100,000. As with the application of penalties, generally a number of factors are likely to impact how much a mortgage broker is fined for a breach in a specific instance. Factors would include the nature and sensitivity of the breached information, the manner in which the breach occurred, the scope of the breach, whether the mortgage broker is a repeat offender, and the degree or lack of care taken to avoid the breach. Takeaways Whether your organization is covered by PIPEDA or by provincial legislation, you should: n have systems and training in place to protect against privacy breaches n comply with reporting and notification requirements in the event of a breach n have systems and training in place to maintain the required records concerning privacy breaches n keep in mind that the reporting and notification requirements may invite litigation. (is is not to suggest you should not comply with the notification requirements, but rather that you be prepared for the possibility of litigation) n consider obtaining cyber liability insurance. A mortgage broker who is subject to PIPEDA would be required to report any breach of security safeguards that pose a real risk of significant harm to affected individuals.