Gov’t releases data-breach reporting rules

Organizations that suffer a breach of users’ personal information must conduct a risk assessment to determine if it poses a “real risk of significant harm” to the affected individual and, if so, report it to the federal privacy commissioner and the people involved as soon as possible, according to new rules on data breach reporting. Published this week’s Canada Gazette, the rules come after Innovation Canada’s consultation on data breach reporting rules, which followed the last update to the Personal Information Protection and Electronic Documents (PIPEDA) Act. In addition to notifying the Privacy Commissioner of Canada and the affected individuals “as soon as feasible,” organizations that suffered a data breach also have to “notify any other organization that may be able to mitigate harm to affected individuals” as well as “maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner upon request.” The proposed rules lay out a minimum standard for the type of information that must be included in the report to the commissioner and individual, including a description of the type of information breached, when the breach occurred, and steps taken to reduce the risk of harm. It also sets outs that individuals must be notified directly, whether via email, letter, phone call or in person unless “the cost of giving direct notification is prohibitive for the organization” or if “the giving of direct notification would cause further harm to the affected individual.” Organizations also have to keep a record of every breach for 24 months after the day it was discovered. “The proposed time frame reflects the standard practice in most provinces for limitations on initiating civil litigation,” said a regulatory impact analysis statement accompanying the new regulations. “It is intended to be a minimum requirement, providing for the retention of data breach records for longer than two years, if an organization’s other obligations, practices or requirements so dictate.” This requirement is also meant to drive extra attention to internal cyber security. “Mandatory breach reporting and record-keeping provide a much needed incentive for organizations to adopt better security practices,” the statement said, citing a 2016 EY cyber security report that found “that the majority of organizations currently do not increase their cyber security spending after experiencing a breach that does not appear to do any harm.” It added that the report’s authors “indicate that this is concerning given that cyber criminals often make ‘test attacks,’ lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to.” The required record keeping will “also ensure that breach reports to the Commissioner are provided in such a way that incidents can be compared and aggregated to provide a much needed repository of information on data security incidents in Canada,” the statement said, allowing for metrics to be developed for “evidence-based policy-making.” The statement recognized that many companies already have data-breach reporting procedures in place and the new rules “create certainty across the marketplace about how organizations notify individuals affected by a breach.” It also noted that the proposed regulations bring Canada into alignment with a variety of provincial legislations as well as that of international partners, such as the European Union. Implementing these new rules is expected to inflict a nominal cost on businesses, the statement added, “given that the bulk of the compliance and administrative burden arises from the statutory obligations imposed by the Digital Privacy Act.” Interested parties have until 30 days after the Sept. 2 publication date on the Gazette notice to make comments on the new rules. — With reporting by Charelle Evelyn at cevelyn@thewirereport.ca and editing by Anja Karadeglija at akarad@thewirereport.ca

Gov’t releases data-breach reporting rules

News | September 1, 2017

Unlock all the Canadian telecom, broadcasting and digital media news you need.

FREE TRIAL

SUBSCRIBE

Inside The Wire Report

Information

Hill Times Publishing

Get in Touch With Us

Gov’t releases data-breach reporting rules

News | September 1, 2017

Unlock all the Canadian telecom, broadcasting and digital media news you need.

FREE TRIAL

SUBSCRIBE

Related Stories

‘Outdated’ regulatory tools unsuitable for online environment, streamers tell CRTC

Local providers key to broadband rollout, CanWISP told

Telesat, feds announce new Gatineau campus

Iristel, Bell still in dispute over repayments, disconnections

Reuse & Permissions

Inside The Wire Report

Information

Hill Times Publishing

Get in Touch With Us