Canada ponders mandatory data breach notification law

Filed Under: Data loss, Featured, Law & order, Privacy

Gavel in front of a Canadian flagCanada has been making significant progress at modernizing many of its laws to cope with the realities of 21st century life.

Just last month Bill C-28 took full effect. The bill is aimed at making spamming illegal in Canada. A little late to the party, but welcome nonetheless.

On Thursday, Industry Minister Christian Paradis proposed Bill C-12, an update to PIPEDA (the Protection and Electronic Documents Act).

Paradis' update would transform the existing privacy law into a mandatory data breach notification act.

In the USA and Europe this type of law has helped inform consumers about the risks to them when their personally identifiable information (PII) is lost or stolen.

Unlike much of the legislation passed in the United States, though, the bill is quite vague about what constitutes a data breach and exactly how an organization would determine that.

Many exemptions are proposed to allow personal information to be shared with the government, police, banks, and insurance companies and for the purpose of preventing fraud.

The bill would also allow for personal information to be shared in the event of illness, injury or notification to next of kin.

Hacker Dojo don't do itOne interesting provision is that when an organization seeks consent to share an individual's personal information, the person granting consent must "reasonably understand" the implications of that choice.

It seems this is intended to protect minors or others who are incapable of understanding decisions that could affect their privacy.

So, how does Canada define a data breach that might meet the criteria for mandatory notification?

The proposed bill takes three factors into account: the sensitivity of the personal information that was lost or stolen, the number of people affected and whether it constitutes a systemic pattern of failure.

Organizations must notify potential victims as soon as possible if there is "real risk of significant harm." This is defined as the leaked information's potential to cause any of the following:

  • Bodily harm
  • Humiliation
  • Damage to reputation or relationships
  • Loss of employment
  • Damage to business or professional relationships
  • Financial losses
  • Identity theft
  • Damage to credit
  • Damage to property

Fishing in NunavutWhile the the list of potential harms makes complete sense, there is no definition whatsoever of how big is big enough. Is it 10 people? 1000 people? Is it different if you live in Nunavut or Toronto?

I applaud the Minister for proposing this update, and hope that some of the current vagueness can be worked out in the House of Commons. If Canada manages to move forward on this, perhaps it could apply some pressure on our friends from down under.

In the meantime, if you have sensitive information on your computer that you would like to protect, why not download our Sophos Free Encryption?

Creative Commons image of Hacker Dojo sign courtesy of mightohm's Flickr photostream.

, , , , ,

You might like

One Response to Canada ponders mandatory data breach notification law

  1. Hi Chet,

    A quick note that this is actually a re-tread of another bill C-29, that was tabled last year, and died on the order table as an election was called. We fully expect the law to pass this time out, and now the Conservatives have a majority on both parliament and senate. Another important clause in the bill is allowing law enforcement agencies to share data month themselves and agencies outside of Canada, something currently prevented by our privacy law, PIPEDA.

    Naturally, CAUCE supports this law.

    Neil Schwartzman
    Executive Director
    CAUCE : The Coalition Against Unsolicited Commercial Email
    IM: caucecanada

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on as Chester, Chester Wisniewski on Google Plus or send him an email at