Canadian Data Breach Reporting Now in Effect

Protect Your Information Poster

Effective today, Nov. 1st, new Data Breach Reporting obligations take effect, requiring Canadian organizations to report certain breach of security safeguards to the Canadian Privacy Commissioner’s Office and to notify anyone affected.

“The number and frequency of significant data breaches over the past few years have proven there’s a clear need for mandatory reporting,” says Commissioner Daniel Therrien. “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”

Under the new Personal Information Protection and Electronic Documents Act (PIPEDA), organizations must:

  • Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
  • Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
  • Keep records of all breaches of security safeguards that affect the personal information under their control; and
  • Keep those records for a minimum two years.

Security Safeguards

A breach of security safeguards is defined as “the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards …, or from a failure to establish those safeguards.”

The new data breach reporting regulations state that the nature and level of security safeguards in place should be relative to the sensitivity, amount, distribution, format and storage method of the information.

Methods of protection should include physical measures (e.g. locks, alarm/access control system), organizational measures (e.g. policies & procedures limiting access to personal information), and technological measures (e.g. use of passwords and encryption).

Real Risk of Significant Harm

Significant harm in this context is defined as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”  Other factors to be considered are the sensitivity of the personal information involved and the likelihood that information has/is/will be misused.

More details on these new data breach reporting regulations can be found here.

If you have concerns about the adequacy of IT security safeguards in your organization, let us perform an IT Security Assessment.  We will identify any areas of concern and recommend how to better protect your own, your customers’ and your employees’ confidential data.