It’s been a long wait. More than two years have passed since Ottawa amended Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA, or the Act) by enacting Bill S-4, the Digital Privacy Act, to establish mandatory data-breach reporting requirements. Yet, sections 10.1 through 10.3, the provisions outlining the obligations for breach reporting and notification, still are not yet in force pending the creation of necessary regulations. On September 2, 2017, Innovation, Science and Economic Development Canada finally revealed the proposed Breach of Security Safeguards Regulations (Regulations), along with a Regulatory Impact Analysis Statement (RIAS) which can be found in the Canada Gazette. The proposed Regulations will come into force at the same time as section 10 of the Digital Privacy Act and are open for comments from interested parties for a period of 30 days.
By way of refresher, following the implementation of the new data-breach sections of PIPEDA, organizations that experience a data breach (referred to in PIPEDA as a “breach of security safeguards”) must determine whether the breach poses a “real risk of significant harm” (which may include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property) to any individual whose information was involved in the breach by conducting a risk assessment. When conducting this risk assessment, organizations must consider the sensitivity of the information involved and the likelihood of whether it will be misused. If the answer is “yes,” the organization is required to notify affected individuals and the Privacy Commissioner of Canada (the Commissioner) as soon as “feasible.”
Additionally, because the primary objective of the new data-breach reporting and notification framework in PIPEDA is to prevent or mitigate the potential harm to individuals resulting from a breach, the updated Act requires organizations that notify individuals of breaches to notify other third-party organizations and government institutions (or part of government institution) of a potentially harmful data breach if the organization making the notification concludes that such notification may reduce the risk of harm tha
Draft Canadian Security Breach Regulations Finally Unveiled
IN BRIEF
- The Government of Canada (Innovation, Science and Economic Development Canada) recently released the long-awaited proposed Breach of Security Safeguards Regulations, which outline the obligations for breach reporting and notification under Canada’s federal private sector privacy law.
- Under the regulations, an organization is required under certain circumstances to notify affected individuals, any other relevant organization or government institution and the Privacy Commissioner of Canada in a specified manner.
- Affected U.S. businesses should review their current practices and consider establishing the safeguards set forth in the proposed regulations to avoid monetary penalties.
This is premium content for:
ABA Business Law Section Members.
Please log in or join the Business Law Section to read this full article.
