Breach Notification is Now Mandatory Under Canadian Law

by Resolver

All Articles

Posted on November 12, 2018

Not recording safeguards, incidents, and issues as they relate to data breaches? That could cost you up to $100,000 per violation.

As of November 1, 2018, Canadian companies are required to report all data breaches regardless of the number of people impacted under legislation known as PIPEDA (Personal Information Protection and Electronic Documents Act).

Canadian organizations subject to PIPEDA are now required to:

  1. Notify the office of the Privacy Commission of Canada any time there is “a real risk of significant harm to an individual” from a security breach
  2. Alert the affected individuals about those breaches
  3. Keep accurate and up-to-date records of all breaches

What are the implications of PIPEDA?

Under the updated legislation, it is now mandatory at a federal level that companies keep accurate data about their cybersecurity safeguards for up to two years in the case that breaches are revealed down the line. The new rules also enforce penalties up to $100,000 per violation, which in our opinion should be enough of a scare to any organization contemplating whether or not they should update their IT infrastructure.

To ensure compliance, companies may be required to make changes to breach management and privacy practices within their organization.

Reporting a breach: What does that look like in practice?

This is where there will be varying levels of interpretation, especially if there is a breach of customer data while in the hands of a third-party vendor. As recent as last week, this type of breach made news headlines because of the nature of the data that was compromised, and the actions that were taken by the parties involved.

Canada Post verified on November 7, 2018, that thousands of Ontario customers purchasing cannabis had their information breached. The breach became public knowledge after the Ontario Cannabis Store (OCS) stated that Canada Post notified them on November 1 that someone had gained access to customer information including postal codes and names/initials of the adult who signed for the delivery.

Though both OCS and Canada Post reported the breach to the Office of the Privacy Commissioner of Canada, OCS went a step further and notified the approximately 4,500, affected individuals. There is some debate about who is responsible for notifying customers of the breach, but according to the updated legislation that responsibility ultimately falls to the principal organization. In this example, even though the breach occurred in Canada Post’s system, the transaction was made between OCS and its customers leaving them to determine if the breach resulted in a real risk of significant harm and if so, how and when to communicate that with customers.

Since Canada Post is subject to federal privacy laws any action regarding their security safeguards and reports will be handled with by the Office of the Privacy Commissioner of Canada.

How can you prepare for Mandatory Breach Notification?

According to PwC, here’s what Canadian companies should be thinking about in regards to the new legislation:    

What is required under the new law?

  • Breach notification
  • Record keeping
  • Risk assessment

Why should your company be prepared for the new legislation?

  • By making changes to your breach plans and privacy programs, you can improve competitive advantage by enhancing customer trust and loyalty
  • Increase privacy awareness across the company and achieving greater efficiency among privacy, security, information technology, and data governance functions.
  • Reduce your overall risk. By responding poorly to a breach, you open your organization up to increased scrutiny, financial penalties, and potential reputational damage.

Not sure where to get started? Contact our team to learn more about how to prepare your organization to handle data breaches.    

About the Author

Resolver Protects What Matters®. Over 1,000 of the world’s largest organizations use our cloud software to protect their employees, customers, supply chain, brand and shareholders. Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of events from occurring; this includes Risk Assessment, Enterprise Risk Management, Internal Control, Internal Audit and Compliance. We also support the response and recovery process when an event does occur; including Incident Reporting, Incident Response and Investigations. Resolver’s team is comprised of security, risk and compliance experts supporting customers across 100 countries with offices in North America, United Kingdom and the Middle East.

^