There are new laws that went into full effect November 1, 2018 which require companies who experience a data breach to properly notify their customers.
On November 1, Canadians have new protection from the threat of identity theft. When a company that you do business with experiences a data breach your personal information may be at risk. With this new legislation, companies are compelled to a greater extend to notify you of the breach and what personal information of yours may be at risk. The final regulations for the Digital Privacy Act, which was first implemented as law in 2015, go into effect November 2018. Under these regulations, all Canadian companies must disclose when sensitive personal information is put at risk due to breaches in data. Data breaches must be reported to the Office of the Privacy Commissioner of Canada (the Commissioner) if that the breach has the potential of creating “real risk of significant harm to the individual.”
“Significant harm” includes damage to reputation or relationships, humiliation, and identity theft. If a company experiences a data breach it must make a significant effort to notify individuals affected with as much information as possible to assist them with mitigating any potential damage.
Under these new regulations, Canadian companies must keep records of any and all occurrences of data breaches. These records may be required to be submitted to the Commissioner if asked. If there is a public interest in the breach, those records may be published. All data breaches must be recorded, regardless of size or severity.
Canadian organizations are mandated to report on the following:
- All incidents and (if known) causes of any breaches.
- The exact date and time of a breach (if known); otherwise, an approximate time period.
- All personal information that was affected by the breach. If the entire extent isn’t known, an approximation must be given.
- The precise number of individuals affected. If an accurate number isn’t known, an approximation is required.
- The methods the company has taken to either lessen or alleviate any harm to people that may result from a privacy breach.
- The measures an organization will take in order to notify everyone affected by the breach.
- The name and contact information of the people who can answer any questions the Commissioner has regarding the breach.
Fines of up to $100,000 may apply to those companies which do not comply with these regulations.
Canadians are now better protected through these new regulations.