Canada is considering incorporating fines for organizations that do not proactively notify individuals or the appropriate regulatory bodies of data breaches.
Bill S-4, the digital privacy act, is now before the House of Commons. It would amend the Personal Information and Electronic Documents Act to include mandatory breach notification provisions to alert both affected individuals and the privacy commissioner if there’s an incident, and would require compromised organizations to keep a record of every breach.
“On breach notification, I think Bill S-4 has it right,” said Chantal Bernier, former interim privacy commissioner of Canada who is now counsel at Dentons LLP, speaking to Canadian Lawyer Magazine. “You need to make breach notification mandatory so the affected individuals can protect themselves.”
Failure to comply could include fines of up to $100,000, but the language of the bill leaves significant loopholes open. For one, the notification will only be required in cases that inflict “significant harm,” including “physical and moral” harm. The bill also does not specify a notification window—only that it should be carried out “as soon as possible.”
Bernier argued that it’s the right approach, however. “Making it just for significant harm avoids notifying individuals needlessly and worrying them in the absence of real consequences,” she said. “My experience has been that people can react very acutely to the announcement of a privacy breach. There is such concern with fraud I would want us to be very judicious in when we notify or not.”
The U.S. has fairly well-established notification requirements in place across verticals, but Canada has only a limited, regional patchwork of laws for this, meaning that it would be a significant cultural shift for the organizations located there. Laws in place include Ontario’s Personal Health Information Protection Act, Newfoundland and Labrador’s Personal Health Information Act, New Brunswick’s Personal Health Information Privacy and Access Act, and Alberta’s PIPA, all of which require mandatory data breach notification.