Law Requirements After A Data Breach
Under New Law, Canadian Companies Required to Reveal More Information After Experiencing Data Breaches
On November 1, Canadians will finally receive additional, much-needed protection from the considerable threat of data breaches. The final regulations for the Digital Privacy Act, which was first implemented as law in 2015, go into effect November 2018. Under these regulations, all Canadian companies must disclose when sensitive personal information is put at risk due to breaches in data. All companies affected by data breaches are mandated to report to the Office of the Privacy Commissioner of Canada (the Commissioner) several crucial pieces of information in the event that the breach has the potential of creating “real risk of significant harm to the individual.”
Should personal data be compromised, “significant harm” is how it would be described due to the number of incidences that could potentially occur. This includes damage to reputation or relationships, humiliation, and identity theft. A company that has experienced a privacy breach must give notice as soon as possible once the breach has been discovered. The notices sent to the affected individuals are required to contain enough information to thoroughly inform the recipients of the severity of the breach and just how their personal data was compromised. If applicable, the notice must also contain the correct information to instruct the recipients on how to take steps in order to reduce the risk of whatever harm may occur.
Under the new regulations, Canadian companies that experience data breaches are subject to mandatory record-keeping for all occurrences. Every time safety measures are breached, organizations must document the event and then provide those records to the Commissioner when asked. If there is public interest, those records may be published. In addition, there may be audits or investigations based on the information in the records. There is no established timeline or damage threshold for privacy breach record-keeping – if it happens, a company must record all details, regardless of severity.
A more in depth look at what Canadian organizations are mandated to report in the event of a data breach includes:
- All incidents and (if known) causes of any breaches.
- The exact date and time of a breach (if known); otherwise, an approximate time period.
- All personal information that was affected by the breach. If the entire extent isn’t known, an approximation must be given.
- The precise number of individuals affected. If an accurate number isn’t known, an approximation is required.
- The methods the company has taken to either lessen or alleviate any harm to people that may result from a privacy breach.
- The measures an organization will take in order to notify everyone affected by the breach.
- The name and contact information of the people who can answer any questions the Commissioner has regarding the breach.
Any companies that don’t comply with these new regulations in the event of a privacy breach may be subject to fines of up to $100,000.
Under these new rules, Canadian citizens will become better protected from the threats of data breaches. What’s more, the regulations will ensure that companies employ the proper policies, procedures, and safeguards in order to either prevent or detect any breaches, and should a breach occur, effectively mitigate the subsequent damage.