Canada Moves Forward with Mandatory Federal Security Breach Notification Law

Melinda McLellan
BakerHostetler
Contact
LinkedIn
Facebook
X
Send
Embed

On June 18, 2015, the Canadian Minister of Industry announced that the Digital Privacy Act, which amends Canada’s foundational Personal Information Protection and Electronic Documents Act (PIPEDA), has received royal assent and is now law. Although the Act contains a number of provisions that are likely to impact organizations doing business in Canada, certain key features—notably, the security breach notification requirements—will not come into effect until regulations are issued by the Canadian government.

Pursuant to amendments contained in the Digital Privacy Act, organizations will be required to notify the Privacy Commissioner and affected individuals of “any breach of security safeguards involving personal information under [the organization’s] control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”

  • The Act’s definition of “significant harm” is broad and includes “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
  • Factors to be considered when assessing the risk of “significant harm” to an individual include the sensitivity of the personal information at issue and the probability of that information being misused.

Details concerning the form, manner, and content of the required notifications, as well as additional factors relevant to the risk assessment, are to be spelled out in the forthcoming regulations.

The Digital Privacy Act provides for fines of up to CA$100,000 for knowing violations of the breach notification requirements, or the requirement that organizations “keep and maintain a record of every breach of security safeguards involving personal information under [the organization’s] control.” Upon request, an organization will be obliged to produce this breach record to the Privacy Commissioner.

It is unclear when regulations will be promulgated for purposes of implementing the federal breach notification requirements in the Digital Privacy Act. Currently, Alberta is the only Canadian province with a mandatory breach notification requirement in effect.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
BakerHostetler
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

BakerHostetler on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide