Several years after passing into law, the Canadian government has finally set an effective date for long-overdue data breach disclosure rules. The requirements were included in the Digital Privacy Act that was passed in 2015, but the accompanying regulations literally took years to finalize. Earlier this year, I argued that the failure to expedite security breach disclosure rules was an embarrassing failure for successive Conservative and Liberal governments, placing the personal information of millions of Canadians at risk and effectively giving a free pass to companies that do not adequately safeguard their customers’ information.
Post Tagged with: "digital privacy"
Coming Soon (or at least by November): Government Sets a Date for Data Breach Disclosure Rules To Take Effect
News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. Bill S-4, which was introduced two months ago by Industry Minister James Moore, features long overdue data breach disclosure rules.
My weekly technology law column (Toronto Star version, homepage version) notes the new rules would require organizations to notify individuals when their personal information is lost or stolen through a data or security breach. Most other leading economies established similar rules years ago, recognizing that they create much-needed incentives for organizations to better protect our information and allow individuals to take action to avoid harms such as identity theft when their information has been placed at risk.
While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. Bill S-4 establishes tough penalties for failure to notify affected individuals, but unfortunately undermines its effectiveness by setting a high notification standard such that Canadians will still be kept in the dark about many breaches, security vulnerabilities, or systemic security problems.