Companies Beware, Canada Breach Notice Mandate on Horizon

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Peter Menyasz

Companies doing business in Canada should prepare now for a new data breach notice requirement, even though rules won’t be implemented for months and may include a transition period, privacy attorneys told Bloomberg BNA.

Draft regulations to implement the data breach reporting requirements set forth in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) are expected to be published “in the coming months,” Hans Parmar, a spokesman for Innovation, Science, and Economic Development Canada (ISED), which is responsible for developing the regulations, said. No deadline for issuing final rules has been set. he said. A transition period may be added to address company concerns that they need more time to adapt, he said.

But businesses shouldn’t be sitting on their hands waiting for the rules to be finalized, privacy professionals told Bloomberg BNA. They should be bolstering their data breach defenses and mitigation processes now so that when the breach notice mandate takes effect, they will be better prepared to comply, they said. Large Canadian companies, such as train and airplane manufacturing giant Bombardier Inc., are likely ready for the compliance challenges but smaller companies may not be.

Paige Backman, a partner in the Toronto office of Aird & Berlis LLP and the chairman of the firm’s privacy and data security group, told Bloomberg BNA that companies should “use the intervening time to develop or fine-tune their breach response protocols.” Once a breach happens, it’s “too late” to put protocols in place, she said.

Barry Sookman, a senior privacy partner in the Toronto office of McCarthy Tetrault LLP, agreed, noting that companies need to start establishing breach protocols to determine when notice is required, and what processes are needed to provide notice.

“Many businesses don’t realize that their contracts with their suppliers and service providers who have access to or process personal information need to be amended to include provisions that will enable them to comply with this legislation,” he said.

Backman said companies can also use the waiting time to bolster defenses against data breaches. “Maintaining technological defenses is important, but the greatest vulnerabilities for organizations remain employees and human error,” she said. One of the cheapest and most effective breach defenses is to educate employees about secure handling of data, she said.

Delayed Implementation

The PIPEDA data breach amendments were enacted in June 2015, but it is unlikely the rules will be in place by the fall 2017 target date. Stakeholder consultations on the draft regulations were completed in the fall of 2016, but a further public comment period will start once the draft regulations are officially published, Parmar said.

Bernice Karn, an information technology and privacy partner in the Toronto office of Cassels Brock LLP, told Bloomberg BNA that delays aren’t surprising, given that breach notification under PIPEDA is a subjective exercise based on an organization’s assessment of “real risk of significant harm.”

The Canadian approach is unlike the prescriptive one taken by many U.S. states, she said. “I suspect that the government is trying to be careful in drafting these regulations because they will be what people look to for guidance when making a data breach notification,” she said.

University of Ottawa law professor Michael Geist questioned the need for further delays with transitional periods. “Canadians deserve better,” he told Bloomberg BNA. “Where their information is placed at risk due to a security breach, they are entitled to be informed.”

The Office of the Privacy Commissioner of Canada spokesman Tobt Cohen said the office doesn’t play a direct role in developing the regulations but has advocated for mandatory breach notice. The office will evaluate the final rules to determine if it needs to develop guidance to assist companies “in complying with their new responsibilities under PIPEDA,” he said.

Cohen said companies seeking to prepare in advance of the data breach notice mandate should refer to the office’s existing guidance on how to prevent breaches and how to respond if they do occur— Ten Tips for Reducing the Likelihood of a Privacy Breach and Key Steps for Organizations in Responding to Privacy Breaches.

To contact the reporter on this story: Peter Menyasz in Ottawa at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security