Skip to main content
The Globe and Mail
Support Quality Journalism.
The Globe and Mail
First Access to Latest
Investment News
Collection of curated
e-books and guides
Inform your decisions via
Globe Investor Tools
per week
for first 24 weeks

Enjoy unlimited digital access
Enjoy Unlimited Digital Access
Get full access to
Just $1.99per week for the first 24weeks
Just $1.99per week for the first 24weeks
var select={root:".js-sub-pencil",control:".js-sub-pencil-control",open:"o-sub-pencil--open",closed:"o-sub-pencil--closed"},dom={},allowExpand=!0;function pencilInit(o){var e=arguments.length>1&&void 0!==arguments[1]&&arguments[1];select.root=o,dom.root=document.querySelector(select.root),dom.root&&(dom.control=document.querySelector(select.control),dom.control.addEventListener("click",onToggleClicked),setPanelState(e),window.addEventListener("scroll",onWindowScroll),dom.root.removeAttribute("hidden"))}function isPanelOpen(){return dom.root.classList.contains(}function setPanelState(o){dom.root.classList[o?"add":"remove"](,dom.root.classList[o?"remove":"add"](select.closed),dom.control.setAttribute("aria-expanded",o)}function onToggleClicked(){var l=!isPanelOpen();setPanelState(l)}function onWindowScroll(){window.requestAnimationFrame(function() {var l=isPanelOpen(),n=0===(document.body.scrollTop||document.documentElement.scrollTop);n||l||!allowExpand?n&&l&&(allowExpand=!0,setPanelState(!1)):(allowExpand=!1,setPanelState(!0))});}pencilInit(".js-sub-pencil",!1); // via darwin-bg var slideIndex = 0; carousel(); function carousel() { var i; var x = document.getElementsByClassName("subs_valueprop"); for (i = 0; i < x.length; i++) { x[i].style.display = "none"; } slideIndex++; if (slideIndex> x.length) { slideIndex = 1; } x[slideIndex - 1].style.display = "block"; setTimeout(carousel, 2500); } //

Molly Reynolds is privacy counsel at Torys LLP

The year isn’t over yet – but the trend is clear. With new security flaws being discovered in software every day – on top of plain old human negligence and nosiness – our data are at more risk than ever.

It’s in this context that the federal government enacted privacy-law amendments requiring companies to disclose data breaches that pose a risk to an individual.

Story continues below advertisement

These regulations have just come into force. And their intent is good. We deserve to know whether our privacy is being put at risk. But as we’ve seen in other jurisdictions with similar disclosure requirements, “oversharing” comes with risks of its own – to the public and the privacy regulator itself.

Companies will be overly cautious

The law establishes a threshold: data breaches must pose a “real risk of significant harm” to those affected to warrant disclosure.

But the law is light on details and new guidance from the federal Privacy Commissioner does little to help companies identify risks and weigh potential harms against this threshold.

Although the internet is midway through its fourth decade, the “new reality” – in which hackers and data brokers freely trade our data online – is relatively new. Polls show Canadians are concerned about the safety of the information they give to businesses. In this context, companies are not likely to take risks. They will err on the side of caution, disclosing even minor breaches that may not meet the risk-based standard.

This type of oversharing may please privacy advocates, but it comes with adverse consequences.

Regulators will be overwhelmed

In other jurisdictions where data-breach notification requirements have been implemented, regulators have seen a surge in disclosures – so much so that their own processes are overwhelmed.

Just look across the Atlantic. After the European Union’s General Data Protection Regulation (GDPR) kicked in this spring, the United Kingdom saw a surge in notifications. As many as 500 calls a week were made to their breach-reporting phone line alone. According to the U.K. Information Commissioner’s Office, as many as one-third of these breaches were “not reportable” under the GDPR’s notification threshold.

Story continues below advertisement

In the absence of clarity from the regulator, organizations decided that it was better to be safe than sorry. That is why, on its website, the Information Commissioner’s Office now indicates – in bold – that organizations do not need to report every breach, and provides substantial resources guiding organizations in their application of the threshold.

Back in Canada, the Privacy Commissioner has said his office did not receive any additional funding to support the new breach-disclosure rules and impending wave of reports. A handful of employees will need to wade through reports of all kinds, trying to identify those serious enough to merit attention. But oversharing poses a threat to more than the Privacy Commissioner’s overworked employees. It poses a threat to individuals whose data have been compromised – the very people this law is meant to protect.

Individuals will tune out

In past years, large data breaches regularly made the news. In Canada, consider the infidelity dating site Ashley Madison, which made front-page headlines for months in 2015 when it was a victim of a salacious attempt at extortion, or the hard drive with thousands of student loan records that went missing from a government office. Now, with hundreds of major breaches occurring each year, people are suffering from “data-breach fatigue.”

If companies err on the side of notification because they can’t navigate the breach-disclosure threshold, there is a real risk that this fatigue could be replicated on an individual level – people will stop paying attention when they are told their data could be at risk and how to protect themselves.

This is dangerous. Although many data breaches pose little risk, some can have serious consequences – for a person’s credit score, security or even personal identity. Most data-breach notices suggest some kind of self-help: swap your payment card; set up fraud alerts; change your passwords. A deluge of notices and suggested action will ultimately irritate, exhaust or bore some Canadians. People will stop reading notices, stop taking action. We cannot, through overreporting, set ourselves up for more risk by overwhelming consumers and regulators.

Clarity is needed

The Privacy Commissioner’s Office must follow the lead of its U.K. colleagues and provide more detailed, practical clarity to organizations on what types of breaches meet the disclosure threshold – and just as importantly, what types of breaches should not be publicized.

Story continues below advertisement

In doing so, they will be able to avoid the problem of oversharing that puts their processes – and our citizens – at risk.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to If you want to write a letter to the editor, please forward to

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies