New rules mandating how Canadian companies respond to data breaches come into force on Thursday, but many businesses won’t be ready, privacy experts say.
Starting in November, Canadian private-sector organizations must report breaches involving personal information to the Office of the Privacy Commissioner of Canada (OPC) and notify all individuals affected, provided the event poses a “real risk of significant harm” to those whose data have been compromised. Organizations must keep a record of all breaches of security safeguards for two years, even if those episodes don’t meet the threshold for reporting.
Failure to maintain records or report a breach can result in a fine of up to $100,000 for each offence.
Many larger and mid-sized organizations have been getting ready for the change for some time, said Alex Cameron, chair of the privacy and cybersecurity group at Fasken Martineau DuMoulin LLP. “However, we have observed that there is a very large segment of the private sector that is not prepared.”
That’s especially true of smaller companies. “I doubt most small-business owners even know these new rules exist,” said Corinne Pohlmann, senior vice-president of national affairs at the Canadian Federation of Independent Business. Even though many smaller businesses are not likely to hold much personal information, they are still vulnerable to data theft. “Privacy is low on the radar for many small-business owners. Nonetheless, we are going to make sure they are aware,” Ms. Pohlmann said.
The new rules come at a time when concern about data privacy is mounting, and when some companies have been reluctant to disclose breaches. Uber Technologies Inc. did not start notifying the 815,000 Canadians affected in a massive 2016 hack until after a ruling from Alberta’s privacy commissioner in February. (Alberta is the only province to already mandate such disclosure outside of a health-care context.)
Canada’s regulations come after the European Union’s General Data Protection Regulation (GDPR), a stricter framework that took effect in May. Companies can be fined up to €20-million (about $29-million) or 4 per cent of global revenue, whichever is higher, for violating the regulations. Canadian companies with global operations would likely already have more stringent data policies in place as a result of GDPR and can more easily manage the changes back home. But not every firm has made data security a priority.
Some businesses will only take notice of the new regulations after penalties are levied, said Mark Sangster, vice-president of strategic marketing at cybersecurity firm eSentire Inc. in Cambridge, Ont. “They’ll think, ‘Someone just got hit with a fine, I better pay attention to this,’” he said.
Companies that have been paying attention still have questions about the regulations. Imran Ahmad, a partner at Miller Thomson LLP who specializes in cybersecurity, technology and privacy law, said some clients are unclear on how much detail to include when maintaining records. Keeping track of every security issue is challenging for large organizations. A breach could range from a large-scale cyberattack to an employee losing a corporate USB key at a trade show, Mr. Ahmad said.
While the privacy commissioner’s office released draft guidelines providing further detail, the finalized version has not been published. A spokesperson for the OPC said the final guidelines will be released before Nov. 1.
Companies are also worried about the impact of more disclosure on their reputations, as well as the potential for litigation. “The moment they notify in high-profile cases, within 24 to 48 hours, there’s class-action litigation,” Mr. Ahmad said. Still, he believes organizations will potentially over-disclose to avoid running afoul of the regulations.
“We’ll see a bit of an increase initially,” he said. As it becomes clearer how the commissioner enforces the regulations, “you’ll see the pendulum swing back to a more balanced situation.”
Finding a middle ground will be challenging, said Michael Geist, a law professor at the University of Ottawa. “If every breach resulted in a notification, the public would become numb to them,” he said. But if only the most damaging breaches were disclosed, “there may be others that cause harm and the public is kept in the dark.”
The latter scenario is a real possibility owing to the language in the regulations, according to Ann Cavoukian, who heads the Privacy by Design Centre of Excellence at Ryerson University. While the guidelines provide some direction of what’s meant by “real risk of significant harm,” Ms. Cavoukian said the phrase is open to interpretation.
“It’s to the company’s advantage to judge low in terms of harm,” in part to avoid repercussions, she said.
More clarity will emerge only after time has passed and case law has been established. “There will be some contentious cases that arise, and when that happens, some of these issues are going to get fleshed out,” said Ryan Berger, a partner at Norton Rose Fulbright Canada LLP.
Another concern for Ms. Cavoukian is that the regulations require organizations to report a breach “as soon as feasible.” Under GDRP, organizations have 72 hours to report. “I would have preferred they put some specific language in there,” Ms. Cavoukian said, adding the longer consumers are unaware their data have been compromised, the greater the potential for harm.
Innovation, Science and Economic Development Canada did not respond to a request for comment. A spokesperson for Minister Navdeep Bains’s office previously told The Globe and Mail the regulations make clear that notifications must be made without unreasonable delay, while providing “some degree of flexibility to allow organizations to confirm that a breach has taken place, conduct a risk assessment and put in place measures to contain the breach, if necessary, before notifying individuals.”