Canada ponders mandatory data breach notification law


Gavel in front of a Canadian flagCanada has been making significant progress at modernizing many of its laws to cope with the realities of 21st century life.

Just last month Bill C-28 took full effect. The bill is aimed at making spamming illegal in Canada. A little late to the party, but welcome nonetheless.

On Thursday, Industry Minister Christian Paradis proposed Bill C-12, an update to PIPEDA (the Protection and Electronic Documents Act).

Paradis’ update would transform the existing privacy law into a mandatory data breach notification act.

In the USA and Europe this type of law has helped inform consumers about the risks to them when their personally identifiable information (PII) is lost or stolen.

Unlike much of the legislation passed in the United States, though, the bill is quite vague about what constitutes a data breach and exactly how an organization would determine that.

Many exemptions are proposed to allow personal information to be shared with the government, police, banks, and insurance companies and for the purpose of preventing fraud.

The bill would also allow for personal information to be shared in the event of illness, injury or notification to next of kin.

Hacker Dojo don't do itOne interesting provision is that when an organization seeks consent to share an individual’s personal information, the person granting consent must “reasonably understand” the implications of that choice.

It seems this is intended to protect minors or others who are incapable of understanding decisions that could affect their privacy.

So, how does Canada define a data breach that might meet the criteria for mandatory notification?

The proposed bill takes three factors into account: the sensitivity of the personal information that was lost or stolen, the number of people affected and whether it constitutes a systemic pattern of failure.

Organizations must notify potential victims as soon as possible if there is “real risk of significant harm.” This is defined as the leaked information’s potential to cause any of the following:

  • Bodily harm
  • Humiliation
  • Damage to reputation or relationships
  • Loss of employment
  • Damage to business or professional relationships
  • Financial losses
  • Identity theft
  • Damage to credit
  • Damage to property

Fishing in NunavutWhile the the list of potential harms makes complete sense, there is no definition whatsoever of how big is big enough. Is it 10 people? 1000 people? Is it different if you live in Nunavut or Toronto?

I applaud the Minister for proposing this update, and hope that some of the current vagueness can be worked out in the House of Commons. If Canada manages to move forward on this, perhaps it could apply some pressure on our friends from down under.

In the meantime, if you have sensitive information on your computer that you would like to protect, why not download our Sophos Free Encryption?

Creative Commons image of Hacker Dojo sign courtesy of mightohm’s Flickr photostream.