a red gradientan orange gradient

August 2018 - New Data Breach Disclosure Laws

Published on August 1, 2018

Law set to take effect November 1, 2018

Due to the recent increase in major company data breaches new regulations are going to be going into effect. Canadian companies will be required to tell consumers when personal information is at risk due to a data breach. The law will go into effect on November 1, 2018. Organizations will be required to provide:
  • A description of the breach, including the date and type of information at risk
  • The steps taken by the organization to reduce risk and harm
  • How the affected individuals can reduce their risk after the breach
  • Contact information to obtain more information and information about the organization’s internal complaint process and the affected individual’s right to file a complaint
Any organizations that fail to report breaches or take the proper steps could face fines up to $100,000. The new security breach notification provisions contain a three-pronged notice requirement:
  1. a report to the Office of the Privacy Commissioner of Canada
  2. a notice to affected individuals
  3. a notice to other organizations.
A report to the Commissioner is required “as soon as feasible after the organization determines that [a breach of security safeguards] has occurred,” where the breach involves personal information under the organization’s control and it is reasonable to believe that the breach creates a “real risk of significant harm” to an individual. The proposed Regulations prescribe the content, form and manner of the reporting. A notice to affected individuals is required—unless prohibited by law—if it is reasonable to believe that the breach creates a “real risk of significant harm” to the individuals. The notification must be given “as soon as feasible after the organization confirms that the breach has occurred,” and the Regulations similarly prescribe the content, form, and manner of notification, but include (i) a description of the circumstances of the breach, (ii) a description of the personal information that is the subject of the breach, and (iii) and a toll-free number or email address that the affected individual can use to obtain further information about the breach. Organizations are also required to “notify any other organization, a government institution, or a part of a government institution of the breach” where the notifying organization believes that the other organization or institution “may be able to reduce the risk of harm that could result or mitigate that harm, or if any of the prescribed conditions are satisfied.” The proposed Regulations are silent with respect to any prescribed conditions in relation to the notification of organizations. --------- Does your organization hold client data covered by these regulations? The definition of "personal information" is very broad, and covers most businesses that record information about their clients. If you are not sure, we can help you find out. More importantly, we can help you to improve the security of your data. Give us a call at 817-1212 or email [email protected] and we will schedule a security assessment.