Governance, Risk and Compliance
By Diana Buccella Modified April 17, 2020
As of November 1, 2018, Canadian companies are required to report all data breaches regardless of the number of people impacted under legislation known as PIPEDA (Personal Information Protection and Electronic Documents Act).
Canadian organizations subject to PIPEDA are now required to:
Under the updated legislation, it is now mandatory at a federal level that companies keep accurate data about their cybersecurity safeguards for up to two years in the case that breaches are revealed down the line. The new rules also enforce penalties up to $100,000 per violation, which in our opinion should be enough of a scare to any organization contemplating whether or not they should update their IT infrastructure.
To ensure compliance, companies may be required to make changes to breach management and privacy practices within their organization.
This is where there will be varying levels of interpretation, especially if there is a breach of customer data while in the hands of a third-party vendor. As recent as last week, this type of breach made news headlines because of the nature of the data that was compromised, and the actions that were taken by the parties involved.
Canada Post verified on November 7, 2018, that thousands of Ontario customers purchasing cannabis had their information breached. The breach became public knowledge after the Ontario Cannabis Store (OCS) stated that Canada Post notified them on November 1 that someone had gained access to customer information including postal codes and names/initials of the adult who signed for the delivery.
Though both OCS and Canada Post reported the breach to the Office of the Privacy Commissioner of Canada, OCS went a step further and notified the approximately 4,500, affected individuals. There is some debate about who is responsible for notifying customers of the breach, but according to the updated legislation that responsibility ultimately falls to the principal organization. In this example, even though the breach occurred in Canada Post’s system, the transaction was made between OCS and its customers leaving them to determine if the breach resulted in a real risk of significant harm and if so, how and when to communicate that with customers.
Since Canada Post is subject to federal privacy laws any action regarding their security safeguards and reports will be handled with by the Office of the Privacy Commissioner of Canada.
According to PwC, here’s what Canadian companies should be thinking about in regards to the new legislation:
What is required under the new law?
Why should your company be prepared for the new legislation?
Not sure where to get started? Contact our team to learn more about how to prepare your organization to handle data breaches.