As of November 1, 2018, organizations will be required to report breaches to the Office of the Privacy Commissioner (OPC) of Canada. The Canadian government published the Breach of Security Safeguards Regulations specifying the requirements for notifying the OPC and affected individuals of data breaches that pose a “real risk of significant harm.”

As per the OPC, “significant harm” may include humiliation; damage to reputation or relationships; identify theft; bodily harm; loss of employment, business or professional opportunities; financial loss; identity theft; and damage to or loss of property.

With this in mind, once a breach of significance is discovered, the organization is mandated to notify all affected individuals, and report it to the Commissioner of Canada as soon as feasible.
As well, the organization will be required to notify all other organizations that can help to mitigate any harm to the affected individuals and; maintain a record of any data breach that the organization becomes aware of and provide it to the Commissioner on request.

As per the Canada Gazette, the main objectives of the proposed regulations are to:

  • Ensure all Canadians receive consistent information about data breaches that pose a risk of significant harm to them.
  • Ensure that data breach notification contains sufficient information to enable individuals to understand the significance and potential impact of the breach.
  • Ensure that the Commissioner receives consistent and comparable information about data breaches that post a risk of significant harm.
  • Ensure that the Commissioner is able to provide effective oversight and verify that organization are complying with the requirements to notify affected individuals of the data breach and report the breach to the Commissioner.

Breach Reports to the Commissioner are to include the following details:

  • A description of the circumstances of the breach and, if known, the cause;
  • The day on which, or period during which, the breach occurred or, if neither is known, the approximate period;
  • A description of the personal information that is subject of the breach to the extent that the information is known;
  • The number of individuals affected by the breach or, if unknown, the approximate number;
  • A description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;
  • A description of the steps that the organization has taken or intends to take to notify affected individuals of the breach; and
  • The name and contact information of a person who can answer, on behalf of the organization the Commissioner’s questions about the breach.

Canada’s current federal privacy law for how businesses must handle personal information is known as the Personal Information protection and Electronic Documents Act (PIPEDA).

This breach notification obligation was introduced as part of the Digital Privacy Act, which brought amendments to the PIPEDA, including breach reporting provisions under Division 1.1 of PIPEDA. The reporting requirements were published in April 2018, giving in-scope organizations approximately six months of time to prepare.

These new PIPEDA regulations correspond with the European Union’s General Data Protection Regulation (GDPR) enforcement that also includes mandatory breach reporting. European companies must provide comparable information to authorities and individuals, and keep a record of all data breaches, as the Government stated in the Breach of Security Safeguards Regulations.

Consequences of Non-Compliance

Depending on the nature of the breach and your organization response to said breach, or lack thereof, the OPC can impose fines of up to $100,000. However, the fine itself may seem insignificant in comparison to the consequences of a data breach on your brand’s reputation, customer confidence and loyalty.

Protecting Your Organization

There are a number of measures that your organization can implement now to prepare for the new mandatory data breach reporting rules. To start, a thorough review of your existing security safeguards that your organization has in place to protect it.

Though many organizations have internal Risk Management departments, the fact remains that most remain grossly unprepared and unqualified for the job. The vast majority of these organizations would greatly benefit from bringing in a third-party vendor of experts in the field of Cyber Security, namely Penetration Testers or Ethical Hackers.

Ideally, to protect your organization against hackers, you’re going to require a team of similar minds on your defensive arsenal, the best of the best.

For information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization.