New data breach reporting rules in place
On November 1, 2018, the federal government introduced new rules around how a business must report a data breach. There are five significant changes of which to be aware, including fines.
Amy Simpson of MicroAge Peterborough agrees that awareness is key. “Now more than ever we need to secure our businesses' IT / Data to minimize the risk of a breach. You are responsible for protecting your client’s data, and now there is the possibility of large fines if you don’t report it.”
As stated on the Privacy Commissioner of Canada website: “The amendments impose a new set of obligations onto organizations to inform individuals if their personal information has been lost, stolen or inappropriately accessed, and they are placed at risk of harm. Specifically, the Digital Privacy Act states that: • data breaches that pose a real risk of significant harm will need to be reported to the Privacy Commissioner, and affected individuals will need to be notified;
• an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g. credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm); • records of all data breaches experienced by an organization will need to be maintained and provided to the Privacy Commissioner upon request; • deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offences subject to fines of up to $100,000. In the case of notification to individuals, it will be a separate offence for every individual left without notification of the breach; and • deliberately failing to keep or destroying data breach records will also be an offence, subject to a fine of up to $100,000.”