Canada stiffens data breach reporting requirementsReprints
QUEBEC CITY — Corporations experiencing significant data breaches in Canada no longer have the option of keeping quiet, as the failure to inform regulators or customers can now potentially result in significant noncompliance penalties.
The Digital Privacy Act passed in June makes significant changes to Canada's Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA, which sets standards for the collection, use and disclosure of personal information in the course of commercial activities.
The new legislation requires organizations to notify affected individuals and the Privacy Commissioner of Canada where there is a reasonable belief that the breach creates a “real risk of significant harm” to the individual. It also requires organizations to keep and maintain a record of every breach of safeguards involving personal information under their control, regardless of whether the breach creates a risk of significant harm.
“It's been interesting in the last few years to see companies respond by saying there's a breach that we're just going to keep quiet about because if we're quiet about it, maybe it didn't happen,” Kadey B.J. Schultz, a partner with law firm Schultz Frost L.L.P. in Toronto, told attendees of the 2015 RIMS Canada conference in Quebec City on Monday. “That doesn't work so well. In Canada now, we know that the notices need to go out.”
Violations of breach notification and breach of record keeping obligations can result in punishment ranging between summary conviction and a $10,000 fine to indictable conviction and $100,000 fine, meaning Canada has gone from a slightly “Wild, Wild West” environment with little regulation to a fine-based regulatory environment for data breaches, Ms. Schultz said.
“There's no question that some of the provisions of this act are scary in terms of what they are setting the tone for,” said Patrick Bourk, senior vice president for Integro Ltd. in Toronto.
A 2015 decision by the Supreme Court of British Columbia illustrated the developing risk with regard to data breaches and the willingness of Canadian courts to allow damage awards even in nominal breaches when no injury is suffered, Ms. Schultz said. The plaintiff sued the Bank of Montreal for damages she alleged as a result of the bank changing her address in its computer system, which led to her banking information being sent to her ex-husband. The ex-wife sued claiming her privacy had been violated and eventually received damages of $2,000, with the bank “lucky” higher damages were not awarded, Ms. Schultz observed.
“That’s what we’re seeing in Canada, which is very different than the U.S.,” she said. “There seems to be a higher tolerance in the Canadian courts to allow for compensation just where a breach has occurred.”
A separate 2012 case by the Ontario Court of Appeal involving the Bank of Montreal centered around an employee who accessed the bank account of her partner’s ex-wife 174 times in four years, in violation of the bank’s code of business conduct.
The new legislation makes it clear that corporations will need to develop a breach response system and a new standard of care that will warrant attention, she said. However, having a strong system could also allow corporations to prove that information did not leak out despite the breach, which could help them avoid major payouts in the Canadian courts, she said.
“This is never going to be about not having breaches,” she said. “The breaches are going to occur. It is what have we done to create a system of responsibility and accountability for owning the information that we have so that if a breach does occur, that there's a really solid system in place and a good team in place to respond to that breach.”