Bill calls for mandatory data breach reporting

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.itworldcanada.com/news/proposed-bill-calls-for-mandatory-breach-reporting/146801

Private members bill by NDP MP Charmain Borg “kickstarts” dormant
private sector privacy reform, according to privacy advocate

With the Conservative government’s privacy reform bill sitting
untouched after being introduced about two years ago, New Democractic
Party MP Charmain Borg has introduced a private member's bill that
that would make it mandatory for organizations to report data breach
incidents.

Bill C-475, Borg’s proposed amendment to the federal Personal
Information Protection and Electronics Document Act (PIPEDA), echoes
what Canadian consumer and privacy advocacy groups have been clamoring
for – more teeth to the existing privacy legislation that only
requires voluntary reporting of breaches.

“An organization having personal information under its control shall
notify the (Privacy) Commissioner of any incident involving the loss
or disclosure of, or unauthorized access to, personal information,
where a reasonable person would conclude that there exist a possible
risk or harm to an individual as a result of the loss or disclosure or
unauthorized access,” the proposed bill reads.

The document also includes two determining factors for considering a
breach harmful:

-The sensitivity of the personal information

-The number of individuals whose personal information was involved

Bill C-475 also says the commissioner may require organizations to
notify affected individuals “to whom there is an appreciable risk of
harm” as a result of the breach.

The notification should include:

-A report of the risk of harm
-Instructions about reducing the risk of harm or mitigating the harm
-Any other prescribed information

The proposed bill also empowers the privacy commissioner to order the
organization concerned to conduct actions such as: corrective
measures; destruction of data; deleting or adding a record; stop data
collection or disclosure; and publishing a notice of actions taken.

Should the organization fail to comply within a prescribed limit, they
may subject to penalty of no more than $500,000 or punitive damages
imposed by the court. Individuals affected by the breach also have the
right to sue the organization for damages or loss suffered due to
non-compliance to the act by the organization.

In a his blog post today, privacy advocate and University of Ottawa
Internet law professor Michael Geist said Bill C-475 is a better than
the government's Bill C-12 as it provides clear cut breach disclosure
requirements, comes and comes with an order making power “backed by
significant penalties for compliance failures.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
compliance challenges.