Canada stiffens data breach reporting requirements

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsurance.com/article/20151001/NEWS06/151009973/canada-stiffens-data-breach-reporting-requirements-through-digital

Corporations experiencing significant data breaches in Canada no longer
have the option of keeping quiet, as the failure to inform regulators or
customers can now potentially result in significant noncompliance penalties.

The Digital Privacy Act passed in June makes significant changes to
Canada’s Personal Information Protection and Electronic Documents Act,
commonly known as PIPEDA, which sets standards for the collection, use and
disclosure of personal information in the course of commercial activities.

The new legislation requires organizations to notify affected individuals
and the Privacy Commissioner of Canada where there is a reasonable belief
that the breach creates a “real risk of significant harm” to the
individual. It also requires organizations to keep and maintain a record of
every breach of safeguards involving personal information under their
control, regardless of whether the breach creates a risk of significant
harm.

“It’s been interesting in the last few years to see companies respond by
saying there’s a breach that we’re just going to keep quiet about because
if we’re quiet about it, maybe it didn’t happen,” Kadey B.J. Schultz, a
partner with law firm Schultz Frost L.L.P. in Toronto, told attendees of
the 2015 RIMS Canada conference in Quebec City on Monday. “That doesn’t
work so well. In Canada now, we know that the notices need to go out.”

Violations of breach notification and breach of record keeping obligations
can result in punishment ranging between summary conviction and a $10,000
fine to indictable conviction and $100,000 fine, meaning Canada has gone
from a slightly “Wild, Wild West” environment with little regulation to a
fine-based regulatory environment for data breaches, Ms. Schultz said.

“There’s no question that some of the provisions of this act are scary in
terms of what they are setting the tone for,” said Patrick Bourk, senior
vice president for Integro Ltd. in Toronto.

A 2012 decision by the Ontario Court of Appeal previously illustrated the
developing risk with regard to data breaches and the willingness of
Canadian courts to allow damage awards even in nominal breaches when no
injury is suffered, Ms. Schultz said. The case centered around an employee
of the Bank of Montreal who accessed the bank account of her partner’s
ex-wife 174 times in four years, in violation of the bank’s code of
business conduct. The ex-wife sued claiming her privacy had been violated
and eventually received damages of $2,000, with the bank “lucky” higher
damages were not awarded, Ms. Schultz observed.

“That’s what we’re seeing in Canada, which is very different than the
U.S.,” she said. “There seems to be a higher tolerance in the Canadian
courts to allow for compensation just where a breach has occurred.”

The new legislation makes it clear that corporations will need to develop a
breach response system and a new standard of care that will warrant
attention, she said. However, having a strong system could also allow
corporations to prove that information did not leak out despite the breach,
which could help them avoid major payouts in the Canadian courts, she said.

“This is never going to be about not having breaches,” she said. “The
breaches are going to occur. It is what have we done to create a system of
responsibility and accountability for owning the information that we have
so that if a breach does occur, that there’s a really solid system in place
and a good team in place to respond to that breach.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!