Starting November 1, 2018 Canadian companies will be required to report data breaches to customers, affected third parties and the federal privacy commissioner. The specific regulations of this new data breach reporting law have not yet been finalized but are expected to be released in the coming months.
Draft regulations were released in September, 2017. The regulations refer to mandatory data breach reporting as follows:
- The organization must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach (“affected individuals”) by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused;
- When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada (the Commissioner) as soon as feasible;
- The organization must notify any other organization that may be able to mitigate harm to affected individuals; and
- The organization must maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.
These federal data breach notification obligations will apply to federally-regulated firms including banks, telecom companies and transportation firms, as well as firms located in all provinces except Quebec, Alberta and British Columbia. These provinces have their own privacy laws.
Information that must be provided to affected individuals includes:
(a) a description of the circumstances of the breach;
(b) the day on which, or period during which, the breach occurred;
(c) a description of the personal information that is the subject of the breach;
(d) a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
(e) a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
(f) a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
(g) information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
As for not complying with these new data breach reporting regulations, courts can impose fines and order non-compliant organizations to change their practices.
Experts believe that organizations are not doing what they should to protect the data they are entrusted with. This, they conclude, is why data breaches are on the rise. They also note that even though a data breach may not appear to have caused any harm, one must be aware of the fact that cyber criminals will often perform “test attacks” before taking things a step further. They may also stay dormant on a network after a breach, until a later time, or use a breach as a distraction while they carry on with other more harmful activities.
These regulations are intended to better protect Canadians’ personal information and to minimize harm to those affected by a data breach, by encouraging and enforcing better data security practices. Individuals affected by a breach can immediately act to protect themselves.