Canada to Require Data Breach Reporting

Canada to Require Data Breach Reporting

After the Equifax data breach debacle and all the countless data breaches prior to it, consumers, businesses, and governments are on notice that breaches can happen to anyone, anywhere and they can affect you no matter what country the breach happened in. Perhaps coincidentally, shortly after this latest breach, the Canadian government made it known that data breach reporting will become mandatory for Canadian organizations and businesses. This is big news and will require some effort to get ready for.

Data breach reporting under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), a national privacy legislation, will be the subject of this modification from the Federal government in Canada. Now, I point this out because Canada also has provincial level privacy legislations but it is guessed that this new national privacy act requirement will not be overruled by any related privacy legislations at the level of Canada’s Provinces.

Presently there is no detailed clarity on what will constitute breach reporting levels or thresholds (e.g., number of records breached or type of data breached, etc.) nor is there clarity on the breach process as of yet but it will most likely look like the current best practice out of the federal Privacy Commissioner’s office. What is known is that the breach will need to be documented, i.e., the events leading up to the breach and its discovery so, again, preparation for this will need to be completed in Canadian businesses who are not already prepared.

Now the punchline, when will this come into effect? Probably not in 2017 but I would guess it will happen in 2018.

Anthony English, with Mariner Innovations, is one of the top cybersecurity professionals in Atlantic Canada. Anthony has extensive Canadian and International experience in cybersecurity covering risk assessment/management/mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness/lecture/presentation and standards based compliance.