December 30, 2016 - Despite efforts in congress to weaken state data breach notification laws, because data breaches don't respect borders, changes in Canadian law are likely to help Americans. Legislation to update Canada's Personal Information Protection and Electronic Documents (PIPEDA) is moving through parliament and is likely to go into effect sometime in 2017. Changes to the law will mandate that companies experiencing a data breach will be required to notify the country's Privacy Commissioner in any data breach where there is "a real risk of significant harm." And any time there is a real risk of significant harm to individuals, those individuals will also need to be notified.
|
|
|
|
|
|
The effect of this on American companies remains to be seen, but any American company with Canadian customers would be covered under the law. This means that regardless of anything that congress does to usurp state data breach notification laws, American companies doing business in Canada and Canadian and international companies doing business in the United States would have difficulty hiding data breaches.
This is exactly the same situation that that occurred after California became the first state to mandate data breach notification to consumers. ChoicePoint was the first large data breach that occurred after the law went into effect. The company was forced to notify 35,000 California residents that their data had been breached but stated that residents of other states weren't impacted. Within a week, they were forced to change that position due to questions being asked in the media. The company then stated that 145,000 consumers in virtually every state were impacted.
Any company subject to PEPIDA would be well advised to continue making notifications of data breaches to American consumers even if American law doesn't require them to. Consumers have shown that they will vote with their feet if they don't trust the companies that they do business with. Any company that gets caught up in a situation similar to that of ChoicePoint would certainly lose customers and could actually find their entire business threatened if consumers decide to take their business elsewhere.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|