Breach Notification is Now Mandatory Under Canadian Law
Not recording safeguards, incidents, and issues as they relate to data breaches? That could cost you up to $100,000 per violation.
As of November 1, 2018, Canadian companies are required to report all data breaches regardless of the number of people impacted under legislation known as PIPEDA (Personal Information Protection and Electronic Documents Act).
Canadian organizations subject to PIPEDA are now required to:
- Notify the office of the Privacy Commission of Canada any time there is “a real risk of significant harm to an individual” from a security breach
- Alert the affected individuals about those breaches
- Keep accurate and up-to-date records of all breaches
What are the implications of PIPEDA?
Under the updated legislation, it is now mandatory at a federal level that companies keep accurate data about their cybersecurity safeguards for up to two years in the case that breaches are revealed down the line. The new rules also enforce penalties up to $100,000 per violation, which in our opinion should be enough of a scare to any organization contemplating whether or not they should update their IT infrastructure.
To ensure compliance, companies may be required to make changes to breach management and privacy practices within their organization.
Reporting a breach: What does that look like in practice?
This is where there will be varying levels of interpretation, especially if there is a breach of customer data while in the hands of a third-party vendor. As recent as last week, this type of breach made news headlines because of the nature of the data that was compromised, and the actions that were taken by the parties involved.
Canada Post verified on November 7, 2018, that thousands of Ontario customers purchasing cannabis had their information breached. The breach became public knowledge after the Ontario Cannabis Store (OCS) stated that Canada Post notified them on November 1 that someone had gained access to customer information including postal codes and names/initials of the adult who signed for the delivery.
Though both OCS and Canada Post reported the breach to the Office of the Privacy Commissioner of Canada, OCS went a step further and notified the approximately 4,500, affected individuals. There is some debate about who is responsible for notifying customers of the breach, but according to the updated legislation that responsibility ultimately falls to the principal organization. In this example, even though the breach occurred in Canada Post’s system, the transaction was made between OCS and its customers leaving them to determine if the breach resulted in a real risk of significant harm and if so, how and when to communicate that with customers.
Since Canada Post is subject to federal privacy laws any action regarding their security safeguards and reports will be handled by the Office of the Privacy Commissioner of Canada.
How can you prepare for Mandatory Breach Notification?
According to PwC, here’s what Canadian companies should be thinking about in regards to the new legislation:
What is required under the new law?
- Breach notification
- Record keeping
- Risk assessment
Why should your company be prepared for the new legislation?
- By making changes to your breach plans and privacy programs, you can improve competitive advantage by enhancing customer trust and loyalty
- Increase privacy awareness across the company and achieve greater efficiency among privacy, security, information technology, and data governance functions.
- Reduce your overall risk. By responding poorly to a breach, you open your organization up to increased scrutiny, financial penalties, and potential reputational damage.
Not sure where to get started? Contact our team to learn more about how to prepare your organization to handle data breaches.