Canada’s new mandatory data breach notification law takes effect today.
It forces companies that come under the federal data protection act to report serious violations of personal data safeguards to tell victims and the federal privacy commissioner. Violations could result in fines of up to $100,000.
Whether companies will try to skirt the law, which says only breaches that could result in “real risk of significant harm” – forever shortened now as RRSH – have to be reported, is open. Some feel the definition is loose enough that a few firms may say, in effect, ‘we didn’t think it was that serious.’
However, RRHS is defined in the law. It obliges companies to consider the sensitivity of the personal information involved in the breach, and the probability that the personal information accessed will be, misused.
“I will be interesting to see whether they [the privacy commissioner’s office] will be overwhelmed with notifications,” says Halifax privacy lawyer David Fraser of the McInnes Cooper law firm, “because real risk of significant harm can be caused by things other than hacking … it could be a misdirected fax from one bank branch to another.”
In an interview this week privacy commissioner Daniel Therrien noted the reporting requirement is similar to one that companies in Alberta have had to deal with for several years. “It’s difficult to understand why there would be over-reporting, frankly.”
“If companies are included to under-report I would say that among their obligations will be an obligation to keep records of all breaches … and we will have the authority to ask for these records and will assess whether these companies will comply with the law.”
But to him the real impact of the legislation will be wider. “Hopefully — and I think we’ll see to what extent — it will focus the minds companies of the need to have stronger security safeguards, because if they do not they may be vulnerable to adverse consequences for lack of reporting or absence of security safeguards.”
SIDEBAR: Not yet ready? Here’s 5 things to think about
The long-planned change to the federal Personal Information Protection and Electronics Act (PIPEDA) was approved in 2015. It has taken several years — and two governments — before the detailed regulations needed for implementation were written and finalized. Then companies were given nine months to get ready.
In addition to obliging companies to report, the law gives the privacy commissioner the power to recommend prosecution of firms that don’t follow the law. “It’s not just that you’re going to be investigated and the privacy commissioner could publicly name and shame you,” said Fraser. “Companies and individuals could be charged – and that is a whole different world of consequences businesses need to tune into.” The maximum fine is $100,000 for each offence.
One thing open for interpretation is that serious breaches have to be reported after being discovered as soon as feasible.
NOTE: To help interpret this and other sections this week the privacy commissioner finalized its guidance, which can be found here:
The privacy commissioner can also initiate a corporate investigation based on a breach report.
As for what might be considered minor breaches – those that don’t meet the RRSH threshold – while they don’t have to be reported the new law obliges firms to keep a record of them.
The country should get better statistics on the number and type of data breaches from figures compiled by breach reports filed to the privacy commissioner. However, it will likely be at least a year before the first annual figures are out.
However, the commissioner doesn’t have to immediately make public the breach reports the office gets. In some U.S. states with mandatory breach notification the reports are posted on a website.
While one benefit of the law – hopefully – is organizations tighten up their data protection, Fraser said the most likely immediate result will be a leap in the number of lawsuits filed as more victims become aware their personal data is at risk of being abused.“We’ve already seen an explosion in privacy class actions [after breaches] and we’re going to have the second boom after the first of November,” he said.
Although companies have known for nine months mandatory breach notification would start Nov. 1, it isn’t clear how many are ready. Earlier this week the Globe and Mail quoted an official from the Canadian Federation of Independent Business saying she doubts most small business owners know the about it.
“For companies that operate nationally in Canada and for international companies in Canada, I don’t think it’s going to be a significant new burden,” Fraser said, “because we already have data breach reporting requirements for [those operating in] the province of Alberta.” Some companies already report to the federal privacy commissioner as a matter of good practice, he added.
“My number one concern is mainly going to be with small and medium-sized businesses. The awareness of those businesses of our privacy laws is quite low.”
Commissioner Therrien expects companies that pay attention to the media have known about the start date, but said he hears from lawyers that small businesses aren’t as ready. “We’ll have to wait and see.”