Mandatory breach notification coming this fall

A NEW REGULATION requiring all organizations to notify the Office of the Privacy Commissioner of any cyber breach of personal information will take effect this fall.

The requirement under the Personal Information Protection and Electronic Documents Act is a departure from the voluntary breach notification currently in place, said Chantal Bernier, former interim privacy commissioner of Canada.

Speaking at this month’s International Cyber Risk Management Conference in Toronto, she said PIPEDA was passed into law in 2015 but the government delayed enforcing it until establishing regulations.

Ms. Bernier said failing to comply with the new breach notification requirements, which take effect Nov. 1, could result in significant fines — up to $100,000 per person who should have been notified and was not.

But there are certain nuances that the government leaves up to companies to answer.

“If there is a loss of personal information, then (the company) needs to determine whether that loss creates real risk of significant harm,” said Ms. Bernier, global privacy and cyber security group counsel at Dentons Canada.

“The law doesn’t give you much information on what is significant harm except to say you should take into consideration . . . the sensitivity of the information and the probability of the misuse.”

Fellow panellist and Liberal MP Mark Holland said the enforcement of PIPEDA speaks to Canadians’ anxieties around how their personal information is being used.

“One thing I am hearing constantly in my constituency . . . is people realizing that their data is out there . . . their whole lives are somewhere out in the world,” said Mr. Holland, MP for Ajax, Ont., and parliamentary secretary to Ralph Goodale, minister of public safety and emergency preparedness.

Ms. Bernier said some companies that have complied with the previous voluntary breach notification guidelines see the new mandatory breach notification law as an instrument to level the playing field.

“There have been voluntary breach notification guidelines (since 2007) and lots of organizations have been good companies, accountable, and availed themselves of that,” Ms. Bernier said. “Some businesses say this (law) is aggravating but there are other saying that this levels the playing field in terms of investment in cyber security.”

Meanwhile, the federal government has no intention of increasing its requirements for private businesses on how to handle consumer data.

Mr. Holland said the government already has expectations of how private businesses handle personal information and does not intend to impose prescriptive measures.

“We are very cognizant of the fact how government has to respond to breaches . . . but codifying that in direct terms to the private sector could be challenging because it could be incredibly costly,” he said.

“If you try to fit people into a specific box, government doesn’t always know what the best answer is,” Mr. Holland said. “Solutions for crime prevention in Ajax are different than P.E.I. and it is (the same) for cyber security — one business is very different from the other.”

(More news from the International Cyber Risk Management Conference is presented in the April 23 weekly edition of Thompson’s. To subscribe, please choose the ‘Subscribe’ tab on our main page or email