Canada's first nationwide data security breach notification requirement will become enforceable in a few days. Here is what you need to know "ah-boot" it:
Back in 2015, the Digital Privacy Act received Royal Assent, making it law. The DPA introduced a number of amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law governing the private sector (the Privacy Act controls privacy in the government), and these changes were scheduled to become effective over time. Among the amendments were new provisions related to data security breach reporting, which will become enforceable on November 1st, 2018.
The amendments to the PIPEDA made by the DPA include the following:
- data breaches that pose a "real risk of significant harm" to individuals will need to be reported to the Office of the Privacy Commissioner, and affected individuals will need to be notified;
- an organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm (e.g. credit card companies, financial institutions or credit reporting agencies, if their assistance is necessary for contacting individuals or assisting with mitigating harm);
- records of all data breaches experienced by an organization will need to be maintained (for 24 months) and provided to the Privacy Commissioner upon request;
- deliberately failing to report a data breach, or deliberately failing to notify an individual as required will be separate offences subject to fines of up to CA$100,000. In the case of notification to individuals, it will be a separate offence for every individual who is not notified; and
- deliberately failing to keep, or destroying, data breach records will also be an offence, subject to a fine of up to CA$100,000.
The new Breach of Security Safeguards Regulations published in the Canada Gazette (which sounds infinitely more readable than the Federal Register) on April 18, 2018 will also come into force on November 1, along with the related statutory requirements.
You can read more about the law here.
Data breach notification in the United States is required by certain federal laws that govern specific industries, and every state in the United States now has a data security breach notification requirement. Alabama and South Dakota were the last states to adopt notification requirements, and both of those statutes became effective earlier this year, as I described back in April.