Governance, Risk and Compliance, Breach, Content

Canada Imposes New Data Breach Reporting Regulations on Organizations

Canadian organizations will soon be obliged to meet minimum reporting requirements following a personal data breach, the country’s federal government said.

The mandatory regulations will begin on November 1. Unlike the impending deadline for compliance with the European Union’s General Data Protection Regulation (GDPR), the Canadian version does not impose hard timelines for reporting a digital burglary, Toronto’s Globe and Mail said.

While no such uniform reporting instructions exist for U.S. companies, it will be worth noting if the cyber security report President Trump sent to Congress last week detailing the country’s policy for defending against foreign nation state hackers references fixed reporting requirements in either the public or private sector.

Canadian Data Breach Disclosure Requirements

Under Canada’s new regulations, organizations will be required to disclose to individuals and the country’s privacy commissioner the personal harm a data break-in might cause. Specific disclosures must also include: (via the Globe and Mail).

  • Circumstances and time frame of the breach.
  • The type of personal information that has been accessed.
  • How the organization is minimizing harm from the incident.
  • What individuals can do to minimize risk.
  • How an organization will notify consumers.
  • Contact details that the Commissioner’s office or affected individuals can use to ask questions about the incident.

Failure to comply carries a fine of up to $100,000 for each step. While the new regulations do not set time frames for organizations to meet the data breach reporting requirements, Navdeep Bains, Canada's minister of innovation, science and economic development, said they do offer flexibility to confirm a security incident has occurred, assess the damage and respond to the threat. Still, Bains said, the regulations imply that some haste must be applied to notify affected persons.

Pressure on the Canadian federal government to regulate data breach reporting has increased in the last 18 months following delays in informing millions of individuals affected by a slew of attacks on prominent companies, the Globe and Mail said. No doubt officials also noted the harsh blow back that Yahoo took after failing for three years to disclose a massive security break that hit three billion users.

Meanwhile, GDPR Compliance Deadline Approaches

Canada’s move to regulate data breach reporting arrives at the May 25 dawn of the GDPR, which imposes far stricter privacy regulations than does Canada’s rules. It also comes in the wake of an unauthorized data harvest by the political consulting firm Cambridge Analytica that hit nearly 90 million Facebook customers. Along those lines, some Canadian cybersecurity experts have claimed  the new guidelines do not extend to third-party Canadian businesses that harness consumer data, the Globe and Mail report said.

Privacy Commissioner Daniel Therrien’s office told the Globe and Mail that even though the new regulations offer “limited progress” to safeguard Canadians’ personal information, the agency “strongly support(s) the move to mandatory breach reporting.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.