May 2, 2016 by Greg Meckbach, Associate Editor
A Canada-wide regulation mandating disclosure of privacy breaches might not be in place until late 2017, an official with the Office of the Privacy Commissioner of Canada suggested Friday.
In June, 2015, the Digital Privacy Act was passed into law. Originally tabled as Bill S-4, the bill would give courts the power to “assess penalties for deliberately failing to report a data breach to the Privacy Commissioner, deliberately failing to notify an individual of a data breach and deliberately failing to maintain or deliberately destroying data breach records,” said Phil McColeman – Conservative MP for Brant – in the House of Commons in October, 2014, about a year before the Liberals replaced the Conservatives with a majority government.
The Digital Privacy Act makes amendments to Canada’s Personal Information and Protection of Electronic Documents Act.
Though it’s been on the books for nearly a year, the amendments “dealing with breach reporting, notification and recordkeeping will be brought into force only after related regulations outlining specific requirements are developed and in place,” a spokesperson for the Office of the Privacy Commissioner of Canada told Canadian Underwriter in an e-mail this past January.
“Regulations are not yet in force,” said Vance Lockton, senior analyst for stakeholder relations at the Office of the Privacy Commissioner of Canada, on April 30, during a presentation at Insurance Telematics Canada in Toronto.
“The most recent timeline that we are hearing is that it will probably be in force somewhere around the fall of 2017,” Lockton said of Canada’s mandatory breach notification regulations.
He added the federal department of Innovation, Science and Economic Development is holding consultations until May 31.
“There are a lot of factors left to be determined as far as those regulations go,” Lockton added during his presentation, titled Economics of Personal Information – Consent in the Digital Age.
In October, 2014, James Moore – then Canada’s Conservative Industry Minister – said that “if an organization has a data breach and its customers’ personal information is stolen or lost, it’s not currently mandatory for the company to disclose to the customers that their information has been compromised.”
Moore was speaking before the Standing Senate Committee on Transport and Communications.
“The Digital Privacy Act will require organizations to tell individuals if their personal information has been lost or stolen,” Moore told the committee. “As part of this notification, organizations will also have to tell individuals what steps they can take to protect themselves, such as changing their credit card PIN, their email password, setting up a secondary layer of security, and so on.”
Bill S-4 would require firms to notify people if their personal information has been lost “and there is a potential to expose us to harm,” said Joan Crockatt, then the Conservative MP for Calgary Centre, in the Commons in October 2014. “The time frame companies would be given to do this under this bill would be as soon as was feasible. For example, if a company’s computer system was hacked and the clients’ credit card information was stolen, the company might need a week to put a fence around it and figure out how many people had been affected and let us, as consumers, know. If the data breach or the hacker was more sophisticated, it might take the company a couple of weeks to figure out everyone who was affected and let us know. There would be some flexibility, but one thing that would be very clear would be that companies could not delay notifying us when there was this kind of breach.”
Bill S-4 “would require organizations to keep records of data breaches of any kind,” Privacy Commissioner Daniel Therrien said, in February, 2015, before the House of Commons Standing Committee on Industry, Science and Technology.
“We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individualy,” Therrien said at the time.
The Digital Privacy Act will also let OPC officials “determine whether the organizations are complying with mandatory breach notifications,” Therrien added during his testimony before the committee. “If they are not, in the worst-case scenarios, we could advise police authorities and the Attorney General so that prosecutions could be made against these organizations. So it’s a clear incentive for organizations to comply with the requirement.”