Canada’s private sector organizations must report all serious data breaches or face stiff penalties, according to new provisions in the country’s Personal Information Protection and Electronic Documents Act (PIPEDA).
Government officials first indicated in April that minimum data breach requirements would come into effect on November 1. Th new PIPEDA rules require all organizations, irrespective of size, to track data breaches and store records for at least two years. While PIPEDA has been applied since 2001 to private businesses, legislators have been moving toward mandatory breach reporting in the last three years, BankInfoSecurity reported.
"Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information," said Canadian Privacy Commissioner Daniel Therrien, according to the report. Canada’s Office of the Privacy Commissioner (OPC) enforces PIPEDA compliance. “Whether a breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach," the OPC said.
Last April, Therrien’s office told the Toronto Globe and Mail that even though the new regulations offer “limited progress” to safeguard Canadians’ personal information, the agency “strongly support(s) the move to mandatory breach reporting.” Pressure on the Canadian federal government to regulate data breach reporting has increased following delays in informing millions of individuals affected by a number of attacks on prominent companies, the Globe and Mail said in the report.
Unlike the impending deadline for compliance with the European Union’s General Data Protection Regulation (GDPR), the Canadian version does not impose hard timelines for reporting a digital burglary. No such uniform reporting instructions exist for U.S. companies. However, similar to the GDPR, organizations not adhering to PIPEDA’s rules also face significant fines. The government has laid out specific data breach reporting requirements of businesses and the associated fines. Organizations that fail to report a breach could be hit with a $76,000 fine. Not alerting a data breach victim could cost the violator $100,000 per individual. And, destroying records, for whatever reason, will cost an organization a fine of up to $100,000, according to the government (via BankInfoSecurity).
Under the new law’s provisions, organizations must:
- Alert the OPC to any data exposure and admit if they have failed to put appropriate measures in place.
- Keep a report of all breaches, but only need to report breaches that pose a real risk of significant harm.
- Keep records of all breaches of security safeguards.
- Report any security breaches that involve data under an organization’s control.
- Assess all breaches on a case-by-case basis and make sure that any third parties handling its data secure it.