Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Companies doing business in Canada should prepare now for a new data breach notice requirement, even though rules won’t be implemented for months and may include a transition period, privacy attorneys told Bloomberg BNA.
Draft regulations to implement the data breach reporting requirements set forth in amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) are expected to be published “in the coming months,” Hans Parmar, a spokesman for Innovation, Science, and Economic Development Canada (ISED), which is responsible for developing the regulations, said. No deadline for issuing final rules has been set. he said. A transition period may be added to address company concerns that they need more time to adapt, he said.
But businesses shouldn’t be sitting on their hands waiting for the rules to be finalized, privacy professionals told Bloomberg BNA. They should be bolstering their data breach defenses and mitigation processes now so that when the breach notice mandate takes effect, they will be better prepared to comply, they said. Large Canadian companies, such as train and airplane manufacturing giant Bombardier Inc., are likely ready for the compliance challenges but smaller companies may not be.
Paige Backman, a partner in the Toronto office of Aird & Berlis LLP and the chairman of the firm’s privacy and data security group, told Bloomberg BNA that companies should “use the intervening time to develop or fine-tune their breach response protocols.” Once a breach happens, it’s “too late” to put protocols in place, she said.
Barry Sookman, a senior privacy partner in the Toronto office of McCarthy Tetrault LLP, agreed, noting that companies need to start establishing breach protocols to determine when notice is required, and what processes are needed to provide notice.
“Many businesses don’t realize that their contracts with their suppliers and service providers who have access to or process personal information need to be amended to include provisions that will enable them to comply with this legislation,” he said.
Backman said companies can also use the waiting time to bolster defenses against data breaches. “Maintaining technological defenses is important, but the greatest vulnerabilities for organizations remain employees and human error,” she said. One of the cheapest and most effective breach defenses is to educate employees about secure handling of data, she said.
The PIPEDA data breach amendments were enacted in June 2015, but it is unlikely the rules will be in place by the fall 2017 target date. Stakeholder consultations on the draft regulations were completed in the fall of 2016, but a further public comment period will start once the draft regulations are officially published, Parmar said.
Bernice Karn, an information technology and privacy partner in the Toronto office of Cassels Brock LLP, told Bloomberg BNA that delays aren’t surprising, given that breach notification under PIPEDA is a subjective exercise based on an organization’s assessment of “real risk of significant harm.”
The Canadian approach is unlike the prescriptive one taken by many U.S. states, she said. “I suspect that the government is trying to be careful in drafting these regulations because they will be what people look to for guidance when making a data breach notification,” she said.
University of Ottawa law professor Michael Geist questioned the need for further delays with transitional periods. “Canadians deserve better,” he told Bloomberg BNA. “Where their information is placed at risk due to a security breach, they are entitled to be informed.”
The Office of the Privacy Commissioner of Canada spokesman Tobt Cohen said the office doesn’t play a direct role in developing the regulations but has advocated for mandatory breach notice. The office will evaluate the final rules to determine if it needs to develop guidance to assist companies “in complying with their new responsibilities under PIPEDA,” he said.
Cohen said companies seeking to prepare in advance of the data breach notice mandate should refer to the office’s existing guidance on how to prevent breaches and how to respond if they do occur— Ten Tips for Reducing the Likelihood of a Privacy Breach and Key Steps for Organizations in Responding to Privacy Breaches.
To contact the reporter on this story: Peter Menyasz in Ottawa at firstname.lastname@example.org
To contact the editor responsible for this story: Donald Aplin at email@example.com
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)