The upcoming mandatory requirement to disclose data breaches will help address some of the anxieties that Canadians have about cybersecurity and data protection, and may prescribe some precautions that organizations can take for remediation.
What would these precautions look like?
Think Ashley Madison, according to Chantal Bernier, a former interim head of the Office of the Privacy Commissioner of Canada (OPC). Currently counsel with the global privacy and cybersecurity group of Dentons Canada LLP, Bernier spoke at the International Cyber Risk Management Conference (ICRMC) in Toronto Wednesday.
In July 2015, a group calling itself “The Impact Team” stole the user data of Ashley Madison, a commercial website billed as enabling extramarital affairs. Bernier said the OPC’s report of finding on the Ashley Madison breach may provide a clue about what to expect from the regulations regarding the protection of consumer information.
“You will see very, very detailed recommendations that the Office of the Privacy Commissioner held Ashley Madison to,” Bernier said. “And Ashley Madison implemented it all.”
The new regulation, which will come into force Nov. 1, addresses concerns about breaches, protection and notifications, Ontario MP Mark Holland told the ICRMC.
“How am I guaranteed to know if that information is out there so I can take measures to protect myself?” said Holland, who is also parliamentary secretary of public safety and emergency preparedness. “This is incredibly important for people to be reassured that there is a mechanism that appropriates fines to individuals; that has an oversight mechanism to be able to catch it; [and that puts] some regime in place to provide that reassurance and protection. I think this is incredibly important. We’re happy to see it come into force.”
Under the regulation, if there is a breach (a loss of personal information), there needs to be a determination of whether that loss creates “a real risk of significant harm.” While the law doesn’t provide much guidance on what this constitutes, three factors should be taken into consideration:
The sensitivity of the information compromised
The probability of its misuse, and
If the harm may be more than pecuniary loss – the definition of harm also includes moral and psychological harm, including reputational harm.
Bernier said during the session that if a breach creates a real risk of significant harm, the Canadian privacy commissioner and every impacted individual must be notified. Failing to do so could result in a penalty of up to $100,000 per person who should have been notified and was not, said Bernier.
“The good guys like this,” she added, “because they say, ‘We invest a lot in cybersecurity, so when people who don’t [are] forced to reveal when there’s an impact, that will level the playing field in terms of investment.”
It is anticipated the government will make an announcement about the breach requirements in about a week.