New federal privacy rules give businesses flexibility on reporting data breaches
TORONTO Federal data breach regulations set to take effect Nov. 1 will require mandatory reporting of security breaches that pose a “real risk of significant harm,” but give businesses flexibility about how that’s done.
Ottawa has rolled out the longawaited requirements in a notice in the Canada Gazette that indicates the government wanted to protect consumers without overburdening private-sector organizations with excessive costs or complexity.
The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible.”
The newly published regulations also give organizations flexibility to use any form of communication to individuals that a reasonable person would consider appropriate, such as phone, email or advertisement.
Companies that had been hacked had previously been alerting the public on their own timeline, although those under federal jurisdiction have been notifying the Office of the Privacy Commissioner and some provinces have other requirements.
There was mixed reaction Thursday to the new regulations for the Personal Information Protection and Electronic Documents Act, part of an update that was passed into law in 2015.
Class action lawyer Jean-Marc Leclerc said “it’s a good thing in a general sense that finally a statute in Canada requires a privacy breach to be notified” even though it provides too much “wiggle room” to organizations with breaches.
He’s a partner at Sotos LLP, a Toronto-based firm that’s launched a class action case against Equifax Canada after American creditmonitoring service Equifax Inc. revealed a breach affecting an estimated 143 million people in the U.S.
“The point is, there was no legislation in force that required Equifax to disclose what, at that point, looked like extremely sensitive financial information belonging to potentially millions of Canadians who were in Equifax’s databases.”
But he said disclosure of a breach could damage the organization’s reputation and open it to class action suits that would usually be far more expensive than a fine of $100,000 per violation of the breach notification regulations.
“Faced with those consequences, and the possibility of a $100,000 fine, I know what some companies would choose,” Leclerc said in a interview.
However privacy lawyer Imran Ahmad, a partner at Miller Thomson, said he thinks the $100,000 fine does provide “some teeth” and the requirement to do a risk analysis and keep records of all breaches for two years can be “onerous.”
“It’s a record that can be used against you,” Ahmad said.
Former Ontario privacy commissioner Ann Cavoukian said that the wording in the new federal regulations is far too loose to sufficiently protect consumers.
She added that the whole point of notifying the privacy commissioner of all breaches — without the condition that they are a “real risk” of “significant” harm — was to ensure that individuals know that a breach of their security had happened.
“This lets everybody off the hook,” Cavoukian said.
Recent news reports have revealed the Uber ride-hailing company tried to cover up a breach more for than a year by paying off hackers.
Prior to that, it took Yahoo! years to disclose the full extent of a 2013 breach. It originally announced one billion people were affected but announced last year, after the Equifax revelation, that about three billion people were affected.