January 10, 2018 by Jason Contant
With Canada’s mandatory data breach notification provisions in the Digital Privacy Act expected to come into force this year, organizations will soon be required to report “breaches of security safeguards” that pose a “real risk of significant harm to an individual.”
Included as part of a series of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), these provisions require mandatory notification to the Office of the Privacy Commissioner (OPC) and affected individuals in certain instances where a breach compromises personal identifiable information.
Adding to the mix, Canadian businesses of all sizes will also have to figure out in what other jurisdictions they will have to comply with privacy regulations, Brian Rosenbaum, national director, legal and research practice with Aon Risk Solutions Canada, told Canadian Underwriter on Tuesday.
For example, a Canadian organization whose clients have operations in the United States may be subjected to breach notification laws in the U.S., where there are 47 different versions depending on the state. Each state has different requirements about the timeframe to notify authorities of a breach, when notification is required, the sanctions for not notifying and the manner of a notification, for example.
Organizations should also be aware of privacy laws with extra-jurisdictional effect. The General Data Protection Regulation, which is coming into effect in the European Union in May of this year, will apply to Canadian companies that obtain personal information of EU residents in certain circumstances. “Companies are going to have to look at that too,” Rosenbaum said.
“If an organization is licensed to conduct business within a jurisdiction, and that organization collects personal identifiable information of residents, customers, or employees of that jurisdiction, that organization may be required to follow the law of the jurisdiction,” Rosenbaum said. “It is not always cut-and-dry, but organizations would be wise to look into that.
“Even savvy organizations in Canada that have a high degree of cyber maturity… still have to figure out in what other jurisdictions they have to comply with privacy regulations and laws.”
Rosenbaum recommends that organizations have one breach protocol that takes into account the most stringent requirement from all the laws to which they may be subject, which many of his clients have not fully done.
In Canada, OPC defines breaches of security safeguards as “what is commonly known as a data breach.” Significant harm is “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft,” among others.
“That is going to be the focus of the organizations that are not up to speed now,” Rosenbaum told Canadian Underwriter on Tuesday. “Those that don’t have those protocols and procedures in place are going to have them.”
Rosenbaum commented after Aon released its global 2018 Cybersecurity Predictions report on Monday. The mandatory breach notifications were one of Aon’s five major trends for cybersecurity in Canada for the year.