Data breaches have fallen into the “dog bites man” category. Each week brings news of another, sometimes several. Last week’s bombshell that Equifax, one of the biggest holders of personal financial information in the world, was apparently hacked, was a grimly familiar example.
Although Equifax did disclose its breach (albeit many weeks after the event), most hacks are never disclosed. Businesses are not eager to share that they compromised customer information, and competitive pressures motivate victims to keep the breach’s existence contained. To this day, there are few requirements in Canada for private businesses to disclose a data breach, although some provinces do have legislation.
That will soon change. Probably. Back in June of 2015, the federal government amended The Personal Information Protection and Electronic Documents Act to establish mandatory breach reporting requirements. Those changes have not yet been implemented, though. They were awaiting regulations and on September 2, 2017, the government published draft regulations for comment.
Although the regulations are draft and subject to change, they currently rest on the following principles:
- There must be a risk assessment to determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach;
- The organization must notify affected individuals and report to the Privacy Commissioner of Canada;
- If there are other organizations which may be able to mitigate the harm, the breached organization must notify it/them; and
- Records of any data breach that the organization becomes aware of must be maintained, and provided to the commissioner upon request.
Once these changes are finalized and implemented, the risks to business increase. For example, PIPEDA provides for fines of up to $100,000 in some cases.
This affects nearly all businesses. Even if you think you are not holding sensitive information such as financial or health data, the same rules apply. Further, the nuances of what information was actually disclosed will not matter much in the court of public opinion, so the fact that breaches will need to be disclosed will be the important factor. Security and rules in place to protect data need to be reviewed now to minimize the risk.