Regulatory bodies around the world are making sweeping changes to data breach laws. International organizations are preparing for the impact of GDPR in May 2018; additional data breach regulations are coming to Australia in February 2018; changes in Canada are now anticipated to also go into effect early this year.
Proposed Canadian regulations, the “Breach of Security Safeguards Regulations,” were posted for review in September of 2017. If passed, the Regulations would amend Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), to include a data breach notification mandate.
For Canadian organizations, this regulation will come as a shock to many organizations who, for years, have considered data breach notification ‘optional’ and may have few if any breach prevention or notification systems in place.
Multi-national organizations that are moving toward compliance with GDPR and are already in compliance with various U.S. state data breach laws may already have the necessary measures in place to meet the requirements of the new Canadian regulations. However, just like with the upcoming Australian law (the Privacy Amendment Act), organizations will need to be aware of the requirements for notifications to both consumers and the Commissioner.
In the event of a data breach, multi-national organizations have only a short period of time to comply with all regulations, including official reporting channels and to consumers. It is imperative that organizations have a rapid response plan in place, and that such a plan is kept updated as the regulatory landscape changes by countries, states or industry regulators.
Non-compliance under the new Canadian regulation could result in a $100k fine, which seems small compared to the $20M fine potential under GDPR. But for small Canadian businesses, or for multi-nationals who find themselves non-compliant with multiple regulators, these fines can add up quickly. In addition to regulatory fines, the presence of data breach regulations is often the driver for class action lawsuits filed by individuals impacted, with lawsuits often dragging for years. In Canada, we’ve seen class action lawsuits on the rise, including those against Equifax, Uber and Yahoo.
Absolute is a Canadian company and we believe the proposed Breach of Security Safeguards Regulations are a great step toward equalizing Canadian-based organizations with the more stringent requirements coming into play under the GDPR. Ultimately, these laws have been designed to protect the best interests of consumers.
If you have questions about the impact of any of these new regulations on your organization:
The information in this blog post is provided for informational purposes only. The materials are general in nature; they are not offered as advice on a particular matter and should not be relied on as such. Use of this post does not constitute a legal contract or consulting relationship between Absolute and any person or entity. Although every reasonable effort is made to present current and accurate information, Absolute makes no guarantees of any kind. Absolute reserves the right to change the content of this post at any time without prior notice. Absolute is not responsible for any third party material that can be accessed through this post. The materials contained in this blog post are the copyrighted property of Absolute unless a separate copyright notice is placed on the material.