New privacy rules being instituted by the federal government will require Canadian companies to disclose data breaches.
The new federal legislation, called the "Personal Information Protection and Electronic Documents Act (PIPEDA)", requires Canadian companies to alert their customers any time their personal information is compromised or stolen.
Currently, Canadian companies large and small must notify the Privacy Commission of Canada any time there's "a real risk of significant harm to an individual” due to a security or data breach. That wording leaves it open to interpretation of what exactly constitutes “significant harm." Also, what constitutes a breach of security has also been open to interpretation up until this point.
The new legislation, which goes into effect Thursday, requires companies to keep accurate data about cybersecurity safeguards for two years following a breach. The law also calls for digital safeguards at all parts of the business, including dealings with third party contractors.
And the rules impose stiff penalties of up to $100,000 per violation or failure to disclose a data breach — a sum that should prompt many businesses to update their information technology and cybersecurity systems.
