Ottawa’s new privacy rules give businesses flexibility on reporting data breaches

OTTAWA _ Federal data breach regulations set to take effect Nov. 1 will require mandatory reporting of security breaches that pose a “real risk of significant harm,” but give businesses flexibility about how that’s done.

Ottawa has rolled out the long-awaited requirements in a notice in the Canada Gazette that indicates the government wanted to protect consumers without overburdening private-sector organizations with excessive costs or complexity.

The regulations require organizations to determine if a data breach poses a risk to any individual whose information was involved and then to notify the federal privacy commissioner and affected individuals “as soon as feasible” _ not within a specific time limit.

The newly published regulations also give organizations flexibility to use any form of communication to individuals that a reasonable person would consider appropriate, such as phone, email or advertisement.

Companies that had been hacked had previously been alerting the public on their own timeline.

A recent security hack at credit-monitoring service Equifax Inc. was revealed months later, while Uber tried to cover up its breach more for than a year by paying off hackers.

In 2010, the province of Alberta became the first Canadian jurisdiction to require private-sector organizations, when “a real risk of significant harm” exists.

Uber only began to alert Canadians who had been compromised in its data breach after Alberta’s privacy commissioner ruled it must notify impacted drivers and riders in the province.

The new federal regulations provide more clarity about the Personal Information Protection and Electronic Documents Act, which was amended in 2015 to provide for fines of up to $100,000 per violation once the regulations come into force.

After consultations last year, the new regulations will require organizations to keep records of security breaches for at least two years after discovery, not five years as the privacy commissioner recommended.

The Gazette notice posted on Wednesday says that five years was considered “overly burdensome” for regulated organizations given that record-keeping requirements cover all breaches, regardless of the risk they pose.

Similarly, the PIPEDA revision rejects the privacy commissioner’s request for mandatory reports on how an organization conducted its assessment of the risk of harm posed by a breach _ saying it exceeded Parliament’s intention.