Public advocacy centre skeptical of data breach reporting regulations
OTTAWA Companies would be required to notify people of a serious data breach involving personal information under proposed new federal regulations.
But the regulations are intended to provide “maximum flexibility” to an organization that loses data, says a government notice accompanying the planned measures.
One prominent public advocacy organization voiced skepticism Tuesday about how effective the new rules will be.
Several businesses — including telecom provider Bell Canada, retailer Target and affair-seekers website Ashley Madison — have been stung by breaches in recent years.
The loss of data can be embarrassing for an organization and often causes headaches for customers whose personal or financial details are suddenly swirling in cyberspace. Legislation passed two years ago laid the groundwork for mandatory reporting of privatesector breaches that pose a “real risk of significant harm” to individuals. The newly published regulations, drafted with the help of public feedback, would flesh out the legislation.
“A key theme of the responses was the need for flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances,” the federal notice says.
“The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible.”
In the likelihood of “significant harm,” organizations would be obliged to inform affected people as well as the federal privacy commissioner, whose office would determine whether appropriate actions were indeed being taken.