Failure to report Canadian privacy breaches could mean big fines after Nov. 1
After more than three years of legislative fine-tuning, Canadian businesses will be required as of Thursday to alert their customers and the federal privacy watchdog if there’s a danger that personal information under an organization’s control has fallen into the wrong hands.
On November 1, Canada becomes the newest country to enact a stringent data breach regulation. The Personal Information Protection and Electronic Documents Act, or PIPEDA, goes into effect on November 1, based on a report from the CTVNews network:
According to the Ponemon Institute’s 2017 International Cost of a Data Breach study, the average cost to Canadian companies of a breach was $6.11 million, up 5.6 per cent from those who participated in the 2016 report. By comparison, the global average cost of a breach was US$3.86 million.
NEWS INSIGHTS: According to Pravin Kothari, CEO of cloud security vendor CipherCloud,
“The data privacy train is picking up speed in Canada. The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the Digital Privacy Act amendment makes it clear that companies are now responsible for the exposure or loss of customer data. The expanded regulation applies to companies of all sizes that do business in Canada and is enforced by the Privacy Commissioner of Canada. The amended PIPEDA legislation includes new rules about data breach reporting and requires that regulated companies report a breach to the Privacy Commissioner’s office and the impacted individuals if there is a “real significant risk of harm.
The devil is already deep within the details. The Office of the Privacy Commissioner of Canada has provided explicit guidance on the issue of significant harm. As defined within guidance, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property. The definitions of the exclusion for “business contact information” have also evolved and merits close attention as this sheds further light on the definitions of personal information.
It is now a very short step to an even stronger data privacy law in Canada. In lockstep with many nations around the world, we expect Canadian regulation to rapidly evolve further into the depth and breadth of the European Community GDPR. This will ultimately provide a very detailed view of sensitive data, specified data protection such as encryption, and much tougher and expanded penalties for non-compliance.”