The government of Canada has unveiled new regulations that specify how organizations must report and respond to a data breach.
On 18 April, the Governor General of Canada released the Breach of Security Safeguards Regulations (SOR/2018-64).
The rules require organizations to submit a comprehensive report to the Privacy Commissioner of Canada (“the Commissioner”) if and when they detect a breach. That report should include the circumstances/causes of the breach, types of information compromised by the security incident, the day on which the event occurred, how many individuals it estimates were affected and what steps it took to mitigate the threat.
Organizations may use “secure means of communication,” including encrypted channels, to send their report to the Commissioner. They must then keep a record of every breach of security safeguards for 24 months from the time that they detect an incident.
Under the Regulations, victim companies must issue a similarly detailed notice to affected individuals. They should endeavor to directly notify affected persons via email, mail or telephone. But they can do so indirectly if notifying the individual would cause undue harm to the individual or to the organization.
These standards, which will enter into force on 18 November 18, fall under Division 1.1 of the Personal Information Protection and Electronic Documents Act (PIPEDA).
This legislation requires that a victim organization conduct a risk assessment to determine if a security incident threatens affected individuals with “real risk of significant harm.” If it does, that victim organization must notify all affected individuals and report the incident to the Commissioner “as soon as feasible.”
As part of PIPEDA, breached companies must also notify any other organization that can mitigate harm to the affected individuals as well as keep records of the data breach that they can provide to the Commissioner upon request.
Within that legislative context, the Canadian government released the Regulations to make sure persons affected by a breach receive information that’s consistent and that helps them understand the nature of a security incident. At the same time, the directives are designed to help the Commissioner provide effective oversight of organizations.
The Regulations are similar to other data protection standards like the European Union’s General Data Protection Regulation (GDPR) in that they come with tough penalties for organizations that refuse to comply. As noted by Lexology, companies could receive a $100,000 CAD fine for a violation, with each person not notified constituting a punishable offense.
Meanwhile, firms that neglect the GDPR must pay a fine of 20 million Euros or four percent of their global annual turnover, whichever is greater.
These penalties highlight the importance of organizations achieving compliance with all regulations that are relevant to their business before they come into full force.
Tripwire’s solutions can help companies comply with GDPR requirements before the Regulation takes effect on 25 May 2018. Learn more here.