Confidentiality Incident Management
Mandatory since September 2022. Every incident must be logged in the register β even minor ones. Notifying the CAI is only required when there is a risk of serious harm.
What is a confidentiality incident?
Defined in section 3.6 of the law as: any unauthorized access, use or disclosure of personal information, the loss of personal information, or any other breach of its protection.
Concrete examples:
- An email containing personal data sent to the wrong recipient
- Theft or loss of a laptop containing records (encrypted or not)
- A ransomware attack encrypting servers containing customer data
- A misconfigured database exposed publicly on the internet
- An employee accessing records without a legitimate reason
- A confidential document thrown out without shredding
Register (always) vs. Notification (if serious harm)
Every incident β even minor, even with no risk of harm β must be entered in the register.
Only when the incident presents a risk of serious harm to the individuals concerned.
Assessing the risk of serious harm β 4 factors
To determine whether there is a risk of serious harm, assess:
- The sensitivity of the information involved
- The possible malicious uses of that information
- The anticipated consequences of its use (identity theft, fraud, reputational harm, bodily harm)
- The likelihood that it will be used for harmful purposes
72 hours to notify the CAI
When the assessment concludes there is a risk of serious harm:
- Notify the CAI with diligence β reference point: 72 hours, per the CAI's guidelines
- Notify the individuals concerned within a timeframe that allows them to protect themselves (change a password, monitor their credit)
6 steps of incident response
- Detect and contain: isolate the system, limit the spread. The whole IT team on alert.
- Log it in the register as soon as it's discovered β even before knowing if it's serious.
- Assess the risk of serious harm with the Privacy Officer (the 4 factors above).
- Notify the CAI and the individuals concerned if the threshold is met β aim for 72 hours.
- Remediate: fix the root cause, strengthen controls, apply patches.
- Document the closure and lessons learned β update your incident response plan.
Mandatory contents of the incident register
For each incident, the register must contain:
- A description of the information affected (or reasons if it cannot be specified)
- A brief description of the circumstances
- The date or period of the incident and the date of discovery
- The approximate number of individuals concerned
- A description of the factors leading to the conclusion on serious harm
- The dates notices were sent to the CAI and the individuals (if applicable)
- A description of the measures taken to reduce the risks
β Incidents checklist
- β Is an incident register in place and up to date since Sept. 2022?
- β Do we have a written incident response plan with clear roles?
- β Do we know how and when to notify the CAI (official form available on cai.gouv.qc.ca)?
- β Do staff know how to recognize an incident and who to report it to?
- β Has the register been kept since at least Sept. 2022 and accessible for 5 years?