As legislation changes and
the breach notification requirements in Canada evolve, so too will the costs associated with damage from hackers, breaches, cyber extortion, and other cyber-related crimes.
Not exact matches
Law seeks to create a unified, federal
breach -
notification standard that would streamline the
requirements for companies
in the face of a
breach.
It was held that a three - year sentence for
breach of
notification requirements (
in operation due to offence of rape) reduced on appeal to 18 months.
In addition to the
notification requirements under privacy legislation, the organization could also have a broader legal duty under negligence law to notify an individual whose data has been
breached if that
breach could harm, or could materially increase the risk of harm to, that individual.
Covered entities need to have a clear policy and procedures
in place to respond to the
Breach Notification Rule's timeliness
requirements.
For further about data
breach notification requirements of the My Health Records Act see OAIC's Guide to mandatory data
breach notification in the My Health Record system.
PIAC called into question likelihood of public knowledge on
breach notifications in light of the lack of reporting
requirements.
In contrast, neither the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) nor corresponding provincial statutes include an explicit security
breach notification requirement».
Now that I am based
in the UK, I am assisting clients across the EU who are gearing up for enhanced
breach notification requirements arising from the GDPR.
To the extent that the proposed Regulations can align data
breach reporting under PIPEDA with
requirements in other jurisdictions, this would reduce the burden of
notification for many organizations
in Canada.
PIPEDA even lags behind the laws of those few provinces that have their own private sector data protection statutes: Commissioners
in Quebec, B.C. and Alberta have order making powers, and Alberta also has mandatory data
breach notification requirements.
In addition, PIPEDA has no mandatory data
breach notification requirements which would inform the commissioner's office when a
breach occurred so that it could investigate and address data protection issues.
While it is not clear whether this precipitated the implementation of the Act's data
breach notification requirements, it certainly means that any businesses operating
in Canada should take immediate action to prepare for the changes.
Facebook didn't alert users that Cambridge Analytica was
in possession of wrongfully obtained data, even though it knew about it for years, and although the company says it's going to alert everyone effected, without a federal data
breach notification requirement, there's nothing preventing the company from deciding to keep users
in the dark again.
The regulation includes mandatory
notification of any data
breaches within 72 hours, and a
requirement that sites get explicit consent from users
in order to collect data.
In Europe, such concerns prompted the passing of the General Data Protection Regulation (GDPR) which will be enforced in May 2018 and that enacts legal requirements for privacy, breach notifications, and mor
In Europe, such concerns prompted the passing of the General Data Protection Regulation (GDPR) which will be enforced
in May 2018 and that enacts legal requirements for privacy, breach notifications, and mor
in May 2018 and that enacts legal
requirements for privacy,
breach notifications, and more.