Since 2004 Canadian companies have been required to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA). Yet, when I talk to owners and managers of smaller companies, almost no one is even aware that the legislation exists.

That may be about to change.

If Bill S-4, aka "Canada's Digital Privacy Act", is passed into law organizations will face $100,000 in fines for each data breach where they fail to meet notification requirements.

Claudiu Popa, president of Informatica Corporation, a company that offers professional security & privacy risk assessments, noted that the new legislation is extremely ambitious.

"On a positive note, it introduces breach notification in a powerful way while adding much needed influence to the Office of the Privacy Commissioner of Canada," said Popa. "On a negative note, it's not particularly prescriptive, which has always been PIPEDA's key weakness. This may lead to errors due to interpretation and bias."

What businesses need to know

What do businesses need to understand about the new law? The legislation, which was tabled yesterday, proposes changes in three main areas:

1. Breach notification

As we have seen too frequently in the news over the past year, significant data breaches can occur in even the largest and best capitalized organizations.

The proposed changes introduce new data breach notification requirements and penalties. There are two things that businesses must understand to avoid the risk of a $100,000 fine for every individual not told:

1. Recognition: Businesses will need to recognize when it is possible that a breach could have occurred and be able to then investigate to determine whether the company is obliged to notify customers of the breach. The proposed changes stipulate that notification is required when personal information is lost or stolen and there is a risk that the affected individuals could be harmed as a result.
2. Response: If a data breach occurs that creates the possibility of harm, the business is required to notify all affected individuals and also tell them what steps they can take to protect themselves.

Companies that deliberately try to hide a data breach can face stiff penalties. The law sets out two main enforcement tools:

• Penalties of $100,000 for each individual not told of a data breach for companies that deliberately fail to report a breach.
• Penalties of $100,000 per incident for companies that deliberately try to hide a data breach by not keeping or destroying relevant records.

2. Simpler rules

The government has also announced that it will introduce simpler rules for business, to eliminate red tape and make compliance with the law easier to manager. However, no details have been announced yet about what rule changes businesses should expect.

3. Stronger enforcement tools

The revised legislation will give Privacy Commissioners stronger tools to enforce PIPEDA and hold organizations to account.

People who file a complaint with the Privacy Commissioner will also have up to one year, after the investigation has completed, to ask the Federal Court of Canada to do one of two things:

1. Comply with the law; or
2. Award damages to an individual who has been harmed by the privacy breach.

The government backgrounder notes that the additional time is intended to give organizations time to comply, while also ensuring that there is an avenue for the matter to be taken to court.

The revised law will offer greater flexibility for notifying the public of non-compliant organizations, with the backgrounder noting that under the revised law, this information can be released "…  if the Commissioner considers it to be in the public interest to do so, so that Canadians can be aware and take action to protect themselves."

How businesses will need to adapt

While penalties are focused on failure to notify customers of a data breach, the core change businesses will want to make is to do everything they can to prevent data breaches.

This is a significant challenge that impacts technology, systems and people in the organization.

"Companies don't realize it yet, but because they'll be on the hook financially and reputationally for breach notification, they will need to implement mature technology solutions to actually detect breaches, not just attempt to block them," said Popa. "This takes money and expertise many firms do not have. Investments in licensing, hardware, training and awareness are absolutely required to meet the spirit of the bill."

What about big brother?

One criticism of the law is that while it focuses on providing protections from non-governmental organizations, it fails to address the government's monitoring and collection of personal information.

"It does nothing to assuage public fears of government surveillance and digital interception, which in and of itself is a breach of privacy," said Popa, "but it would be ironic if the stronger privacy were able to bring justice to the practice of widespread monitoring "we-the-public" and offices the various Privacy Commissioners have been championing."

Further reading

http://news.gc.ca/web/article-en.do?nid=836519

If you enjoyed this article, be sure to visit CanadaOne's article knowledge base for more informative articles.