Anthem Breach Notification by Tony Webster (CC BY 2.0)

Anthem Breach Notification by Tony Webster (CC BY 2.0)


Coming Soon (or at least by November): Government Sets a Date for Data Breach Disclosure Rules To Take Effect

Several years after passing into law, the Canadian government has finally set an effective date for long-overdue data breach disclosure rules. The requirements were included in the Digital Privacy Act that was passed in 2015, but the accompanying regulations literally took years to finalize. Earlier this year, I argued that the failure to expedite security breach disclosure rules was an embarrassing failure for successive Conservative and Liberal governments, placing the personal information of millions of Canadians at risk and effectively giving a free pass to companies that do not adequately safeguard their customers’ information.

Last week, the government quietly passed the Order in Council that will allow the data breach disclosure rules to take effect on November 1, 2018. That delay is longer than I argued was needed in a regulatory submission filed with the government, but given the long delays and the fact that others wanted an even longer phase-in period, it is good to see the data breach disclosure rules finally take effect. It should be noted that there are still some important lingering questions about the content of notices, record keeping, and other related issues that should be addressed by regulation. The government will presumably flesh out the remaining issues with the release of the regulations in the weeks ahead.


  1. Kelly Manning says:

    There will probably be a class action legal action, but has anyone tried using existing legislation and established case law, to get a settlement from an enterprise that disobeys existing privacy statutes or regulations?

    I collected $176 and change from the last Realtor to Data Mine my non published home address and send me a solicitation. Realtors and their associations, such as the BC Real Estate Council and the Victoria Real Estate Council, engaged in a hierarchical series of sham Conditions of Use Contracts about purchasing optical disk copies of the names of current and 2 previous home owners. Despite signing the sham contracts Realtors would immediately go to the Optical Disk data if they wanted to mail personalized Real Estate Solicitations to senior in Care Condos. Most of those seniors have non published addresses, to protect their privacy from scam advertisers how prey on them because they are more trusting than young folk, and generally have disposable income.

    I filed for $100 as the Minimum Civil Remedy (can be more, cannot be less as the judge noted), plus document service fees, filing fees, and other expenses.

    Other junk mail victims have collected as much as $500 in their provincial equivalent of BC Small Claims court.

    Mather v. Columbia House (6 August 1992), 10315/91 (Ont. Ct. Gen. Div.).

    I also got a $100 credit from Shaw Cable, the last time Shaw ignored the Do Not Solicit flag in their customer DB and started phoning me at supper time and sending personalized junk mail again. I used the court proven Robert Bulmash / Private Citizen Inc. algorithm and the BC Credit Reporting Act Minimum Civil Remedy of $100 (too low, set in the 1970s?)

  2. Pingback: This Week’s [in]Security – Issue 54 - Control Gap | Control Gap