Ottawa has unveiled the final regulations for Canadian organizations who discover data breaches, offering a checklist of steps for those affected, but stopping short of enforcing strict timelines coming into effect next month in Europe.
The federal government has been mulling data-breach regulations for three years, and has rolled out drafts and incremental final details for months. Slated to come into effect Nov. 1., the regulations announced Wednesday outline the minimum reporting requirements for organizations whose security safeguards have been compromised, affecting individuals’ private data.
“While digitization has empowered critical innovation, it has also presented us with new and uncharted opportunities and challenges. The new regulations will make companies more accountable and empower Canadian consumers,” said Navdeep Bains, Minister of Innovation, Science and Economic Development, in a news release. His office said he was not available for an interview.
Compromises of customer information have become practically commonplace, and critics have accused Ottawa of dragging its feet on such legislation. In the past 18 months alone, data breaches at companies such as BCE Inc., Loblaw Cos. Ltd., Canadian Tire Corp. affected millions of Canadians. And delays in revealing such breaches have in some cases been as arduous as the incidents themselves. Yahoo once waited more than three years to disclose a massive privacy breach; Uber only began informing hundreds of thousands of Canadian customers that they might have been affected by its 2016 breach after a recent decision from the Alberta Privacy Commissioner.
Canada’s new reporting requirements include an assessment of whether a breach has a “real risk of significant harm” to individuals and disclosures to both them and the Office of the Privacy Commissioner. They include the circumstances and timeframe of the breach; the type of personal information that has been accessed; how the organization is minimizing harm from the incident, as well as what individuals can do to minimize risk; and contact details the Commissioner’s office or affected individual can use to ask questions about what happened.
A deliberate failure to notify the Commissioner or an affected individual, or to keep a record of a breach, will be greeted with a fine of up to $100,000 for each offence. And affected organizations must also outline how they will notify consumers – but the new regulations do not lay out any minimum timelines to do so.
For all the specificity the regulations offer, their final language arrives just over a month before the European Union’s strict General Data Protection Regulation, or GDPR, comes into effect, bringing with it more stringent privacy regulations. They come at a time, too, when sensitivity over data security has reached a historic high, thanks to the Facebook Inc. data-abuse scandal that emerged last month in connection with political consulting firm Cambridge Analytica. Cybersecurity experts say the rules leave lingering questions about compliance for Canadian businesses that harness consumer data, particularly with multinational operations or partners.
GDPR requires a company’s controller to report a data breach to the proper authority within 72 hours after becoming aware of it, and for infringements levels fines of up to €20-million ($31.3 -million) or 4 per cent of global revenue – whichever is higher. In Canada’s language, which says companies must report “as soon as feasible,” “there’s a lot of wiggle room,” said Mark Nunnikhoven, the Canadian-based vice-president of cloud research at Trend Micro, a global enterprise cybersecurity company. “I think the regulations would be much stronger with a specific timeline.”
A spokesperson for Minister Bains’s office said that not putting a strict timeline on Canadian data-breach reporting “provides some degree of flexibility to allow organizations to confirm that a breach has taken place, conduct a risk assessment and put in place measures to contain the breach, if necessary, before notifying individuals.” However, he noted that the regulations’ language “makes it clear that the notification must be made quickly and without unreasonable delay.”
The European regulations are “raising the bar when it comes to privacy requirements,” said Imran Ahmad, a partner at Miller Thomson LLP specializing in cybersecurity and privacy. So the pressure is already on Canadian companies working globally, he said. “European business partners are saying, ‘Because we need to be compliant with GDPR, you need to be compliant with GDPR.’ So there’s a general rush to make sure we’re meeting that compliance requirement.”
(Asked to comment on the pressure some businesses face over the discrepancy in Canadian and European regulations, a government spokesperson said that “ Canada continues to work closely with the European Union to ensure the uninterrupted flow of data between the two economies.”)
David Elder, a lawyer with Stikeman Elliott LLP who focuses on privacy law, said that companies with operations outside of Canada - or Alberta, which has required privacy-breach notifications since 2010 - should already have protocols in place to respond to potential compromises of personal data. “Maybe for smaller entities, this may provide some added incentive,” he said.
Many privacy experts applauded the clarity of the final language, especially for smaller organizations, who now have until Nov. 1 need to create frameworks to deal with such issues. “It gives much more structure, and the goal is to take away doubt,” Mr. Nunnikhoven said.
One piece of regulation that struck Mr. Elder is a requirement that organizations must keep records of any breach of security safeguards, for 24 months, even if they are not so significant as to require the individuals whose information was accessed. He said this could be subject to extremely broad interpretation that could put significant hardship on some companies. If a store clerk hollered a customer’s shoe size across the room to double-check it, for example, it would be considered a breach of their personal information worth recording.
Amendments to the Personal Information Protection and Electronic Documents Act, or PIPEDA, about data breaches were first brought into place with 2015’s Digital Privacy Act – but they were not brought into force pending the development of these regulations.
Privacy and data regulation have been top of mind in Ottawa this week, including with respect to political advertising. Privacy Commissioner Daniel Therrien spoke before the House of Commons committee on access to information, privacy and ethics Tuesday, reinforcing his call for more powers over political parties and internet giants. A spokesperson for the Commissioner’s office said by e-mail that the new regulations offered “limited progress” on protecting Canadians’ personal information, but that “We strongly support the move to mandatory breach reporting.”
Facebook executives are scheduled to appear at the committee Thursday.