BreachExchange mailing list archives
Bill calls for mandatory data breach reporting
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Mon, 4 Mar 2013 02:27:01 -0500
http://www.itworldcanada.com/news/proposed-bill-calls-for-mandatory-breach-reporting/146801 Private members bill by NDP MP Charmain Borg “kickstarts” dormant private sector privacy reform, according to privacy advocate With the Conservative government’s privacy reform bill sitting untouched after being introduced about two years ago, New Democractic Party MP Charmain Borg has introduced a private member's bill that that would make it mandatory for organizations to report data breach incidents. Bill C-475, Borg’s proposed amendment to the federal Personal Information Protection and Electronics Document Act (PIPEDA), echoes what Canadian consumer and privacy advocacy groups have been clamoring for – more teeth to the existing privacy legislation that only requires voluntary reporting of breaches. “An organization having personal information under its control shall notify the (Privacy) Commissioner of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exist a possible risk or harm to an individual as a result of the loss or disclosure or unauthorized access,” the proposed bill reads. The document also includes two determining factors for considering a breach harmful: -The sensitivity of the personal information -The number of individuals whose personal information was involved Bill C-475 also says the commissioner may require organizations to notify affected individuals “to whom there is an appreciable risk of harm” as a result of the breach. The notification should include: -A report of the risk of harm -Instructions about reducing the risk of harm or mitigating the harm -Any other prescribed information The proposed bill also empowers the privacy commissioner to order the organization concerned to conduct actions such as: corrective measures; destruction of data; deleting or adding a record; stop data collection or disclosure; and publishing a notice of actions taken. Should the organization fail to comply within a prescribed limit, they may subject to penalty of no more than $500,000 or punitive damages imposed by the court. Individuals affected by the breach also have the right to sue the organization for damages or loss suffered due to non-compliance to the act by the organization. In a his blog post today, privacy advocate and University of Ottawa Internet law professor Michael Geist said Bill C-475 is a better than the government's Bill C-12 as it provides clear cut breach disclosure requirements, comes and comes with an order making power “backed by significant penalties for compliance failures.” _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://datalossdb.org/mailing_list Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) Risk Based Security equips organizations with security intelligence, risk management services and on-demand security solutions to establish customized risk-based programs to address information security and compliance challenges.
Current thread:
- Bill calls for mandatory data breach reporting Jake Kouns (Mar 04)