In contrast, neither the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) nor corresponding provincial statutes include an explicit
security breach notification requirement».
Mårtin Mickos, CEO of HackerOne, a bug bounty startup, urged legislators to revise laws used to prosecute hackers and to standardize data
breach notification requirements at the federal level.
#.1.2 It is DOT's intent to be compliant with all applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance concerning
PII Breach notification requirements.
Data Breach Preparedness and Response Develop and implement incident response preparedness, response and notification plans to help companies meet the 72
hour breach notification requirements.
Even though PIPEDA does not have mandatory data
breach notification requirements yet, the privacy commissioner has always encouraged notification if the breach is significant and companies want to get ahead of the story by notifying relevant regulators before an individual makes a complaint or the media breaks the story — if only to better shape the narrative.
In addition, PIPEDA has no mandatory data
breach notification requirements which would inform the commissioner's office when a breach occurred so that it could investigate and address data protection issues.
PIAC argued that the current voluntary
data breach notification requirements are not serving the public interest because companies are allowed to decide whether the scope of a data breach warrants notifying the public — an argument PIAC has been making since 2003.
Among these changes are new
breach notification requirements and increased the penalties...
However, the private sector B.C. Personal Information Protection Act does not have mandatory data
breach notification requirements.
Accountability, Data Security, Data Impact Assessments and
Breach Notification Requirements (10/13/2016)
As we previously reported, the Digital Privacy Act, which amended Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) to include a mandatory
breach notification requirement, became law nearly three years ago.
However, on October 3, 2017, the Article 29 Working Party issued guidelines interpreting these data
breach notification requirements.
As legislation changes and
the breach notification requirements in Canada evolve, so too will the costs associated with damage from hackers, breaches, cyber extortion, and other cyber-related crimes.
PIPEDA even lags behind the laws of those few provinces that have their own private sector data protection statutes: Commissioners in Quebec, B.C. and Alberta have order making powers, and Alberta also has mandatory data
breach notification requirements.
While it is not clear whether this precipitated the implementation of the Act's data
breach notification requirements, it certainly means that any businesses operating in Canada should take immediate action to prepare for the changes.
Facebook didn't alert users that Cambridge Analytica was in possession of wrongfully obtained data, even though it knew about it for years, and although the company says it's going to alert everyone effected, without a federal data
breach notification requirement, there's nothing preventing the company from deciding to keep users in the dark again.