Revamped Federal Privacy Laws
Starting in November 2018, updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) mandate that a data breach is no longer just an issue between a company and its users. Depending on the severity and nature of the breach, the federal government might also need to be included in the response to a data breach.
Determining whether "significant harm" could arise from a data breach is a somewhat murky issue, which will require a judgment call on the part of the company.
How to determine a significant breach?
To assist companies in determining whether a data breach is significant enough to alert the Privacy Commissioner, the federal government has provided two helpful qualifiers:
- First, the company should consider the nature of any personal information involved in the data breach. If the breach leads to the disclosure of sensitive personal information, there is a higher risk that users could suffer significant harm.
- Second, companies must consider the likelihood that the breached data could be misused once it has been improperly disclosed. While financial data (such as credit card information), could be easiest to misuse, companies should avoid downplaying the potential opportunities for hackers to misuse data. Even seemingly benign identifying information (such as names and addresses) can aid in identify theft.
If you need to report a privacy breach at your office, click here to access the government form.
The heightened reporting requirements for data breaches provide an opportunity for companies to consider their data collection strategies and privacy policies. Companies should regularly consider the nature of the information they are gathering from users. Given the increased reporting requirements and risks to users, it is best not to gather any user data that is not necessary for business purposes.
Privacy law continues to be largely based on principles of consent. So long as users understand and agree to share their data, no company will be expected to have an absolutely foolproof security infrastructure. If a data breach does occur, the company, its users, and now the federal government will have clear expectations for how a response should be managed.