Canadian Data Breach Law in Effect

The year 2018 is going to be a milestone year in terms of legislation of privacy laws. Following Australia’s Privacy Act of 1988’s breach notification amendments in February this and the coming into effect of the much talked about European Union General Data Protection Regulation (GDPR) in May, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has gone into effect from November 1. In the interim, on June 28, 2018, the California Consumer Privacy Act of 2018 was passed.

Amendments to Australia’s Privacy Act of 1988 introduces a mandatory notification procedure for data breaches if there is an “eligible data breach” to be notified the Office of the Australian Information Commissioner (OAIC) and any parties who are “at risk” because of the breach. The EU GDPR, which is a threat to your organization, contains provisions and requirements pertaining to the processing of personal data of individuals inside the Union, and applies to an enterprise established in the EU or elsewhere that is processing the personal data of people inside the EU. The California Act introduces strict parameters on the collection, use and distribution of personal information of residents of the state.

Under the Canadian data breach law, companies that fall under the purview of the federal data protection act are required to report data theft to the victims and the Office of the Privacy Commissioner of Canada (OPC). Noncompliance, which always has challenges and implementable solutions, in this case fetches fines of up to $100,000. In the Final Guidance released on October 31, the federal privacy commissioner details how companies may fulfil the reporting and record-keeping obligations under the new law. Under PIPEDA, companies need to report breaches of personal information “that pose a real risk of significant harm” to individuals; notify affected individuals about those breaches; and maintain records of all breaches.

“Significant harm” refers to material harm involving serious consequences or effects including potential financial loss, damage to property identity theft, and damage to one’s professional or personal reputation. “Personal information” under PIPEDA is broadly defines as “information about an identifiable individual,” while “breach of security safeguards” is presented as the “loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards.”

Data breaches in Canada

The law comes into force at a time when data breaches are one of the costliest in Canada, at an average per capita cost of $190, second only to the United States which stands at $225. According to 2017 Cost of Data Breach Study by Ponemon Institute, globally $3.62 million is the average total cost of data breach; $141 is the average cost per lost or stolen records; and 27.7% is the likelihood of a recurring material data breach over the next two years.

Canada notification costs – creating contact databases, ensuring regulatory requirements, working with hired experts, communication to affected individuals, etc. – is fifth most expensive, .12 million $). Data breach detection and escalation costs stand the highest in Canada, at an average of $1.46 million. The detection and escalation costs include the forensic and investigative activities, assessment and audit services, crisis team management and communications to executive management and board of directors.

In such a scenario, the digital day companies that directly collect personal information must remain vigilant against potential data breach threats. Companies must review their data collection policy and need to ascertain if the personal information belongs to individuals in Canada. Business entities must concentrate on updating internal procedures and documents to accommodate the breach notification requirements of Canada. Companies must start working, if not already done, with IT team aimed at identifying risk profile related to individuals from the country. Businesses must also update and provide breach training to the concerned staff followed by a breach drill involving similar pattern.

Furthermore, exercising some key breach reaction steps would long way for companies in a scenario while global economy is under higher risks. These key steps include containing breach and preliminary review; risk evaluation; breach reporting; and measures to prevent future threats. Containing of breach and preliminary review should be aimed at recovering the compromised records, revoking access codes, and rectifying weaknesses in the entire security scenario.

Risk evaluation needs to determine the severity of the breach by evaluating the type of incident, type of personal information that is compromised, the extent of the breach, and the foreseeable harm. Reporting implies raising it to appropriate authorities and parties and evaluation of the obligations. Measures to prevent future threats involve developing a prevention plan including reviews of existing policies, framework, staff practices, and third party service providers.