Mandatory Data Breach Notification Rules Now in Effect

/ By Cowan Insurance Group

Tag icon Business Insurance, Cyber Insurance

As a valued business partner, your Cowan team is here to ensure you have the information you need to protect your business. We want to make you aware of changes to the Privacy Act which recently took effect, to give you the opportunity to discuss how these amendments might impact your business.

The Digital Privacy Act (Bill S-4) has amended the Personal Information Protection and Electronic Documents Act (PIPEDA) effective November 1, 2018. The new rules govern the recording and reporting of data breaches and apply to all organizations and businesses, regardless of size, which hold individuals’ personally identifying information. Any breach of an organization’s security that poses a “real risk of significant harm” to individuals must now be reported to affected individuals and to The Office of the Privacy Commissioner of Canada. Organizations that knowingly fail to report or maintain a record of all breaches could face fines of up to $100,000 per offence.

When to report

Reporting is mandatory when it is reasonable to believe that a material data breach has created a real risk of significant harm to an individual—including bodily harm, humiliation, damage to reputation, financial loss and identity theft. Reporting must be made “as soon as feasible after an organization determines that a breach has occurred.” Data breach notification and record-keeping requirements are outlined in Breach of Security Safeguards Regulations, found on the Government of Canada’s website.

What and to whom to report

Reporting includes circumstances of the breach, the date and duration, the information that was breached, what steps have been taken to reduce the risk of harm, what steps individuals can take to reduce risk and contact information for details about the breach. Organizations must notify affected individuals and third parties who “may be able to reduce the risk of harm.” The breach must also be reported to The Office of the Privacy Commissioner of Canada (OPCC).

Get the protection you need for your business.

Get a Quote

Recordkeeping requirements

The new legislation requires businesses to maintain a “record of every breach of security safeguards involving personal information under its control.” The record must be ready and available to be shown to the Privacy Commissioner upon request. A record of every breach must be maintained for at least 24 months after the day on which an organization determines that a breach occurred. OPCC is requesting this be amended to five years.

Penalties

Organizations that knowingly fail to report or maintain a record of all breaches could face fines of up to $100,000 per offence.

Is your organization ready?

To comply with new requirements, organizations should:

  • create or update breach response protocols
  • establish legal frameworks
  • create a breach response team
  • design templates for data breach reports
  • create a system for retaining data breach records
  • update internal policies and training materials

Notification obligations and the obligation to report is a result of “significant harm” to personal information your organization is required to protect. Significant harm is a broad definition, left up to you to determine, and using cloud services does not eliminate reporting. Would you know what information was accessed in a breach situation, and be able to determine if you have caused significant harm?

Are you protected?

Commercial property and liability policies often do not cover data breach costs. Cyber Liability Insurance is fundamental to managing your organization’s risk and having the resources needed to meet legislative requirements. In the event of a data breach, Cyber Insurance not only includes coverage for costs arising from the breach—it also gives your organization access to data breach consultants and a panel of financial, legal and public relations experts, ready to assist you when you need them most.

The level of cyber coverage your organization needs is based on your unique needs and can vary depending on the range of exposure.

Please talk to Cowan to ensure your current coverage meets your insurance and risk management needs.

The Office of the Privacy Commissioner of Canada has resources to help businesses understand their obligations under PIPEDA. For more information, visit The Office of the Privacy Commissioner of Canada.

Download a shareable PDF version of this content here

Cyber attacks are increasing

Cyber attacks have emerged as one of the most significant threats facing organizations of all sizes, making cyber liability insurance an essential component to any risk management program.

Find out how your organization stacks up against cyber attack risk.

Download a PDF of our cyber risk scorecard

 

The Latest Posts

From Pennies to Prosperity | Empowering Employee Financial Wellness

From Pennies to Prosperity | Empowering Employee Financial Wellness

As an employer, you're not just running a business; you also have the opportunity to improve your employees' financial futures. While the primary […]

Read more
Break the Silence, Bridge the Gap | Prioritize Women's Health at Work

Break the Silence, Bridge the Gap | Prioritize Women's Health at Work

Women's health is a multifaceted topic that deserves our attention. On average, women tend to outlive men. However, this extended lifespan is not without […]

Read more
Beyond Borders: Navigating Medical Tourism and Disability Management

Beyond Borders: Navigating Medical Tourism and Disability Management

With wait times growing exponentially for specialists, surgeries, and medical investigations across Canada, many Canadians are looking to other countries […]

Read more

We care about what you care about.

Have questions?

Contact Us

Cowan Insurance Group
705 Fountain Street North
PO Box 1510
Cambridge, ON N1R 5T2

Toll Free: 1-866-912-6926

Best Managed Companies
Waterstone Canada's Most Admired Corporate Cultures 2018

© Cowan Insurance Group.