#CyberFLASH: New data breach requirements in Canada: how to best manage your risks

typing-image-genericThough recent amendments to Canada’s Personal Information and Electronic Documents Act (PIPEDA) are now in force, the federal government has yet to release regulations addressing data breach notification. Still, given the growing number of well-publicized data breaches, it’s critical for organizations to understand that their privacy policies and security safeguards are coming under greater scrutiny on all fronts. Below is a summary overview of some of the issues they need to keep in mind, as they prepare to face evolving cyber threats.

Stay tuned: the new breach notification regime

The new PIPEDA provisions require organizations to keep a record of every breach of security safeguards involving personal information under its control. The amendments also require organizations to notify both affected individuals and the Privacy Commissioner of Canada if it is reasonable to believe that the breach risks significant harm to an individual. “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. Relevant factors in determining such a risk include the sensitivity of the personal information involved in the breach and the probability that it may be misused. Notification must be given “as soon as feasible” after the organization determines that the breach happened. The new provisions also give enhanced powers to the Privacy Commissioner of Canada. Failing to meet reporting requirement can carry a fine up to $100,000.

PIPEDA applies to organizations’ commercial activities in all provinces, except within provinces that have their own privacy laws, which have been declared substantially similar (Québec, British Columbia, Alberta), and subject to certain exceptions.

Though the new federal breach requirements are not yet in force, companies facing a breach ought to consult legal counsel to advise them on the best notification and reporting practices.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.