Explaining Canada’s Data Breach Regulations
Digital technology has served as a catalyst for modernization; however, it also created new opportunities for corporations to hide information from consumers.
Tackling this issue, the Federal Government released new regulations requiring companies to report data breaches in a timely manner to all affected individuals. These amended rules come after a wake of scandals where companies such as Yahoo and Uber failed to report large data leaks and attempted to hide them from the public. Firms will be required to follow these regulations from Nov.1. Thus, giving businesses ample time to alter internal practices to suit the new rules.
Breaking Down the New Regulation
Firstly, organizations must determine if the breach poses a ‘real risk of significant harm’ to an individual. Under the regulation, ‘significant harm’ includes:
“bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
From there, companies must notify the individuals that have been harmed. Notifications must contain,
“sufficient information to allow the individual to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it or to mitigate that harm.”
Finally, this communication must be provided to affected parties within a reasonable timeframe after the breach has occurred.
If any company fails to comply with the new regulation they will be fined $100,000 for each offense. However, this regulation does not affect all businesses within Canada as British Columbian, Albertan, Quebec and federally regulated firms are all beginning exempt.
To ensure that your company complies with new legislation, reach out to see how Secure Sense can solve your cybersecurity needs.