Mandatory Reporting in Canada for Breach of Personal Information

Takes effect November 1 2018: Businesses, do you know what this means????

Canadian businesses are required to:

  • Report to the Federal Privacy Commissioner breaches of security safeguards of personal information that pose a “real risk of significant harm” to individuals
  • If a report is required, notify affected individuals and undertake meaningful risk mitigation
    Keep a record of all breaches
  • Employ satisfactory security and controls for the protection of collected personal information

All companies are required to report the breach or loss of personal information in their control regardless of the size of company or number of individuals involved. As well as reporting to the Privacy Commissioner, notification to individuals must be given “as soon as feasible” after it is determined the breach may result in “real risk of significant harm” to the individual or individuals involved.

Fines up to $100,000 for not complying with the reporting requirements are possible. Infractions are referred to the Attorney General of Canada for prosecution.

Key point: Whether or not the organizations responsible for the information involved in the breach or loss pose a “real risk of significant harm” to those whose information is involved. “Real risk of significant harm” includes the possibility of “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property,” from the breach.

If you haven’t considered Cyber and Privacy insurance before, you really should have some now.  Contact us today for more information!



[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]