Winter Is Coming & Canadian Data Breach Rules Are Coming… Eventually


Nobody is sure exactly when companies operating in the Great White North will finally be required to give notice of data breaches. Canada has been slowly moving to finalize breach notice rules since 2015. The Equifax Inc. data breach may speed up the process or at least keep it on track, privacy professionals tell Bloomberg BNA.

Although Equifax said that the personal data of only 100,000 Canadians was included in the personal data of 143 million consumers exposed in the massive breach, the credit bureau's Sept. 19 notification to Canadians—nearly two weeks after it disclosed the breach in the U.S.—demonstrates why mandatory breach notice in Canada is essential, they said.

However, according to some lawmakers, regulators, and consumers in the U.S., where Equifax was faced with data breach notice laws in 48 states and the District of Columbia, Equifax didn’t act quickly enough. Equifax waited until six weeks after it discovered a hacking intrusion to disclose the breach. 

So, it is unclear whether having the breach notice regulations in place in Canada would have made a difference. Mandatory breach notification probably won’t help in a situation where a company chooses to adopt Equifax’s approach, Michael Geist, a privacy law professor at the University of Ottawa, said.

Canada passed a mandatory data breach notice law in 2015. The rules to implement the law were released Sept. 2, 2017, and there’s no deadline for finalizing them.

In addition, the Canadian government has said it intends to give companies time to transition to the rules after they are finalized. But hasn't indicated how long of a grace period it will allow. 

The Office of the Privacy Commissioner of Canada launched an investigation into the breach in response to complaints from Canadian consumers. “The investigation is a priority for our office given the sensitivity of the personal information that Equifax holds,” the office said.

The Equifax breach reinforces the need for data breach reporting, Valerie Lawton of the privacy office said.

Paige Backman, chair of the privacy and data security group at Aird & Berlis LLP in Toronto, said that the Equifax breach highlights the need for mandatory notification because of the nature of the information compromised and because many consumers were unaware that Equifax had their personal information.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.