Canada Moves Forward with Mandatory Federal Security Breach Notification Law

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/canada-moves-forward-with-mandatory-98461/

On June 18, 2015, the Canadian Minister of Industry announced that the
Digital Privacy Act, which amends Canada’s foundational Personal
Information Protection and Electronic Documents Act (PIPEDA), has received
royal assent and is now law. Although the Act contains a number of
provisions that are likely to impact organizations doing business in
Canada, certain key features—notably, the security breach notification
requirements—will not come into effect until regulations are issued by the
Canadian government.

Pursuant to amendments contained in the Digital Privacy Act, organizations
will be required to notify the Privacy Commissioner and affected
individuals of “any breach of security safeguards involving personal
information under [the organization’s] control if it is reasonable in the
circumstances to believe that the breach creates a real risk of significant
harm to an individual.”

- The Act’s definition of “significant harm” is broad and includes “bodily
harm, humiliation, damage to reputation or relationships, loss of
employment, business or professional opportunities, financial loss,
identity theft, negative effects on the credit record and damage to or loss
of property.”
- Factors to be considered when assessing the risk of “significant harm” to
an individual include the sensitivity of the personal information at issue
and the probability of that information being misused.

Details concerning the form, manner, and content of the required
notifications, as well as additional factors relevant to the risk
assessment, are to be spelled out in the forthcoming regulations.

The Digital Privacy Act provides for fines of up to CA$100,000 for knowing
violations of the breach notification requirements, or the requirement that
organizations “keep and maintain a record of every breach of security
safeguards involving personal information under [the organization’s]
control.” Upon request, an organization will be obliged to produce this
breach record to the Privacy Commissioner.

It is unclear when regulations will be promulgated for purposes of
implementing the federal breach notification requirements in the Digital
Privacy Act. Currently, Alberta is the only Canadian province with a
mandatory breach notification requirement in effect.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!