Cybersecurity Bulletin: Canada to Require Data Breach Reporting

Oct 12, 2017 | Cybersecurity Bulletin, Cybersecurity & Risk Management, Technology

After the Equifax data breach debacle and all the countless data breaches prior to it, consumers, businesses, and governments are on notice that breaches can happen to anyone, anywhere and they can affect you no matter what country the breach happened in. Perhaps coincidentally, shortly after this latest breach, the Canadian government made it known that data breach reporting will become mandatory for Canadian organizations and businesses. This is big news and will require some effort to get ready for.

Data breach reporting under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), a national privacy legislation, will be the subject of this modification from the Federal government in Canada. Now, I point this out because Canada also has provincial level privacy legislations but it is guessed that this new national privacy act requirement will not be overruled by any related privacy legislations at the level of Canada’s Provinces.

Presently there is no detailed clarity on what will constitute breach reporting levels or thresholds (e.g., number of records breached or type of data breached, etc.) nor is there clarity on the breach process as of yet but it will most likely look like the current best practice out of the federal Privacy Commissioner’s office. What is known is that the breach will need to be documented, i.e., the events leading up to the breach and its discovery so, again, preparation for this will need to be completed in Canadian businesses who are not already prepared.

Now the punchline, when will this come into effect? Probably not in 2017 but I would guess it will happen in 2018.

Categories

Share This