Companies may have to notify their customers of serious data breaches
OTTAWA — Companies would be required to notify people of a serious data breach involving personal information under proposed new federal regulations.
But the regulations are intended to provide “maximum flexibility” to an organization that loses data, says a government notice accompanying the planned measures.
Several businesses — including telecom provider Bell Canada, retailer Target and affair-seekers website Ashley Madison — have been stung by breaches in recent years. The loss of data can be embarrassing for an organization and often causes headaches for customers whose personal or financial details are suddenly swirling in cyberspace.
Legislation passed two years ago laid the groundwork for mandatory reporting of private-sector breaches that pose a “real risk of significant harm” to individuals. The newly published regulations, drafted with the help of public feedback, would flesh out the legislation.
“A key theme of the responses was the need for flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances,” the federal notice says.
“The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible.”