The long awaited amendments to The Personal Information Protection and Electronic Documents Act (PIPEDA), called the Digital Privacy Act, received Royal assent on June 18, 2015. Bill S-4 is now law in Canada. Although Cabinet has not yet proclaimed the Act’s breach reporting provisions in force, Canadian businesses should be preparing to comply with them.
An Organization’s Obligations
There are now three breach reporting requirements “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” as follows:
- Reporting to the Privacy Commissioner;
- Reporting to the individual;
- Reporting to agencies that can reduce harm to the individual.
In this context significant harm is now broadly defined and “includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.
Consequences for non-Compliance
The Commissioner’s office may disclose information about an organization’s personal information (PI) management practices to the public if it believes disclosure to be in the public interest. The Commissioner’s office can enter into compliance agreements with organizations that it believes are, or may be, subject to breaches. Anyone who knowingly contravenes these requirements is subject to a penalty of up to $10,000 on summary conviction or $100,000 on indictment.
What does this mean in the context of cyber risk management?
It is now a requirement of Canadian organizations to report cyber breaches which may cause “significant harm” as described above to report them both to the Privacy Commissioner and to the individual(s) affected. They may also be required to notify other organizations, such as law enforcement, should damage caused by the breach potentially be mitigated.
More than anything else, this development will substantially increase awareness of the extent cyber breaches involving personally identifiable information are occurring in Canada. As a result organizations of all sizes and sectors will now be more likely to take this important subject much more seriously. Not only may financial penalties be levied, considerable damage to the organization’s reputation may result as a result of public notification and disclosure.
Doug Blakey B. Math
President, Watsec Cyber Risk Management (watsec.com)
and Director, Canadian Centre for Cyber Risk Management (C3RM) (c3rm.org)