March 23, 2018 - Only one province in Canada - Alberta - currently requires companies to notify consumers when a data breach occurs. That's about to change. The entire country is set to be covered by federal data breach regulations by the end of this year. And because the new Canadian regulations are significantly stronger than most US data breach laws, there is bound to be some cross-border impact. American companies doing business with Canadian consumers, and Canadian companies doing business in the United States are likely to find it more palatable to comply with the regulations for all of their customers rather than have two standards and run the risk that a breach in one country won't be discovered by those living across the border.
Canada has been implementing its Personal Information Protection and Electronic Documents Act (PIPEDA) since 2015. The final phase of that implementation will take place after new rules for companies are published sometime later this year.
One of the goals of the new regulations is to bring Canada into line with new EU privacy regulations. Those regulations are very consumer friendly and also significantly stronger than US privacy regulations.
The new regulations set a standard for data breach notification. If it is determined that a "a real risk of significant harm" to consumers whose data is breached, the company must report the breach to anyone whose data was included in the breach and report the incident to the government's Privacy Commissioner.
Unlike American data breach regulations, the term "real risk of significant harm" applies more than just the risk of identity theft. Information that could be embarrassing or damage reputations, impact employment, lead to any financial loss including damage to or loss property would all be covered under the law.
Draft regulations were published by the Canadian government late last year. No date for the final regulations has been announced yet but it is expected soon. Once the new regulations are published, companies will be given a window to implement them.
byJim Malmberg
Note: When posting a comment, please sign-in first if you want a response. If you are not registered, click here. Registration is easy and free.
Follow me on Twitter:
|