Canada is in the final stages of enacting legislation that will require all companies to report data breaches to the federal government.
The Canadian government first passed the legislation back in 2015 as part of the Digital Privacy Act. Due to the need for “related regulations outlining specific requirements,” government officials gave industry stakeholders a “transition period.” It’s expected these entities reviewed their internal policies and strengthened their computer security networks during this time.
Under the new legislation, all businesses will need to report when a breach occurred, what information it exposed, and how the attacker gained access. They must send this information to the Office of the Privacy Commissioner of Canada, who will then determine whether the company should publicly disclose the breach. In the very least, the Privacy Commissioner can coordinate threat intelligence sharing efforts to prevent other organizations in the affected entity’s industry from suffering similar incidents.
The legislation will also require businesses to maintain an updated record of all data breaches. In the event a business experiences a breach, it must provide this record to the Privacy Commissioner. Failure to provide such a record or report a security incident could mean a fine of as much as 100,000 CAD.
David Masson, country manager for Canada at security firm Darktrace, feels this legislation will effectively change how Canadian companies approach digital security. As he told Ottawa Citizen:
“Think of it like the federal government enforcing cyber hygiene on businesses in Canada. What this does is change the way businesses actually do security issues. They are going to have to do it now. They’re going to have to have adequate safeguards in place … and actually use the tools they’ve got and know what’s going on in their networks.”
These regulations, if enacted into law, could therefore lead more companies to embrace preventative security such as by pursuing security maturity on their endpoints and investing in security awareness training programs for their employees. Such efforts would not only better protect customers’ information. They would also make greater numbers of informed users who can protect their organization’s business critical data.
As of this writing, the federal government is expected to make draft legislation available to the public. Those regulations will then make their way to Parliament for approval. If passed, the legislation will create a nationwide data breach notification framework, something which other countries like the United States have yet to realize.
The draft regulations are expected to eventually appear in the Canada Gazette, the official publication of the federal government.