As data breaches echo around the world, Canada now has its own law, paralleling Europe’s General Data Protection Regulation (GDPR) and the USA’s Health Insurance Privacy and Portability Act (HIPAA). These regulations govern disclosure of data breaches to people whose data has been lost, stolen or somehow leaked to the public.
Responsible leaders in U.S. companies should note that there is no exemption here for foreign-owned or operated companies. If your data breach involved Canadians, even those residing outside Canada, you have to comply.
Types of Organizations Included
Note that the law applies to organizations, which of course includes businesses. But the range of the law covers other entities as well. If you can be considered an organization of any kind, you may need to comply with these regulations.
What happens if the breach occurs in Canada, but for some strange reason, no residents of Canada were involved? You’re still required to comply with the law. (As always, legal questions are best answered by lawyers.)
The law was passed in 2015 and becomes effective November 1, 2018. Penalties for any violation can be up to $100,000. (This is a pittance when compared to penalties under the GDPR and HIPAA.)
What Do I Have To Do If There’s A Breach?
You must disclose it to affected Canadians, including the following information:
Is There More To This Than Meets The Eye?
Yes. It’s important to be aware that the law governing data breaches is not a stand-alone act. It is an amendment to PIPEDA, the Canadian Personal Information and Electronic Documents Act. A summary of Canada’s privacy laws, and links to more specifics can be found here. A discussion of the specific laws related to digital information is here. You need to understand and comply with both.
The wording in PIPEDA leaves room for the judgment of executives. It covers situations where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”
Whether intentional or not, the wording is somewhat vague and ambiguous. Certain words should be interpreted in the light of precedents set in the Canadian courts. There is no way to determine the true meaning of many of these terms when applied to a specific data breach, including:
What Really Happens After November 1, 2018?
Although the law takes effect on November 1, 2018, it will not actually take effect until the Office of the Privacy Commissioner of Canada has written and published its implementing regulations after consultation with stakeholders.
If you are concerned about the impact on your Canadian operations, it is important to track what is going on in the process of writing and implementing these regulations.
There is, for example, no guarantee at this point that the regulations, when written, will not be retroactive. You should comply now.
Should All Data Breaches Be Reported?
The answer to this question can be found by looking at the experiences of other companies – Facebook, Uber, Google, and Experian – that suffered data breaches and did not report them.
Every single one received a great deal of bad publicity. Many of their executives were fired for the way they mishandled the breach.
The applicable rule here that all should remember is: “It’s not the crime; it’s the cover-up.”
A data breach is bad enough. It exposes the personal information of millions of people to hackers and thieves. Any organization that has a data breach also has a duty to report it promptly. The guidelines for reporting it and notifying affected parties are clearly spelled out in the law. Your best assumption is that either you will have to report the breach, or someone will report if for you.
Fines and penalties can be much more severe for those organizations that wait too long before reporting a breach or do not follow the guidelines.
Despite all the efforts devoted to cybersecurity, the public is still extremely vulnerable. In years to come, security experts may find ways to stop the onslaught of data breaches around the world, but today, the best course of action is to follow the data breach laws.