Failure to report breaches could mean big fines
After more than three years of legislative fine-tuning, Canadian businesses will be required as of today to alert their customers and the federal privacy watchdog if there’s a danger that personal information under an organization’s control has fallen into the wrong hands.
Failure to report the potential for significant harm could expose private-sector organizations to fines of up to $100,000 for each time an individual is affected by a security breach, if the federal government decides to prosecute a case.
But there are warnings that Canada’s privacy office — an arms-length Parliamentary body — will be handicapped by a lack of resources and its limited powers under the Personal Information Protection and Electronic Documents Act, or PIPEDA.
Privacy commissioner Daniel Therrien says his office needs about six more people to analyze the new flood of breach reports that will start to flow.
Without additional funds, the office will only be able to take a superficial look at most reports.
“We will focus on those with the greatest harm. . . . And when we see gaps in the posture of organizations, we will recommend they improve safeguards,” Therrien said in an interview.
But under the current law, the Office of the Privacy Commissioner can only advise organizations to make changes. The OPC has no authority to order corrective changes or issue fines — an enforcement power that Alberta’s privacy watchdog has had since 2014.
And since PIPEDA is full of imprecise language that require notifications “as soon as feasible” after a “real risk” of “significant harm” has been detected, there’s a danger that some incidents will be reported too slowly or not at all.
“That’s not our domain,” Therrien said.
“It will be up to the Justice Department to decide whether or not to prosecute. . . . If they do, the fines are fairly hefty.”