The CIO Blog | CrucialLogics

Are you Ready for Canada’s New PIPEDA Data Breach Reporting Obligations?

Written by Amol Joshi | Nov 27, 2018 10:18:49 PM

Data breaches are inherently costly — but new PIPEDA reporting requirements carry fines of up to $100,000 if businesses fail to meet them.

Even the best security deployment will never be airtight, meaning the risk of a data breach always looms.

Companies that take the time to understand this legislation now will perform much more confidently should the worst happen — and avoid those fines.

PIPEDA, the Personal Information Protection and Electronic Documents Act, governs how Canadian businesses must handle data. Changes activated on November 1, 2018, bring in a collection of new obligations that many businesses remain unaware of involving data breaches that could pose a threat of significant harm to individuals — from direct physical harm to identity theft and reputation damage. 

  • Businesses must report these breaches to the Office of the Privacy Commissioner of Canada.
  • Businesses must also notify those affected by the breaches
  • Businesses must keep records of these incidents

It’s no longer enough to have a plan to react quickly when the worst happens and combat the breach itself. Businesses will now have to navigate this mandatory reporting, which will inevitably mean taking a public reputation hit on top of managing the minutia of complying with these new standards. Failure to comply? You could be looking at a fine of up to $100,000 per infraction. It's worth it to work to avoid that.

Preparing for the New PIPEDA Compliance Challenges

Now more than ever, it’s vital to have excellent security safeguards. If you’re able to run your business securely, you’ll run into these challenges far less. Every business would like to believe it’s capable of fending off every attack and avoiding this kind of damage.

Even so, high-profile cases involving massive international enterprises show that 100 percent safety is incredibly difficult. You may have the best defenses and the best staff, but it’s still often a question of when not if.

And it doesn’t matter if you’re a smaller business: you’re still a target and responsible under PIPEDA. Keep just one electronic list of customer data, and even if you contract it out to a third party, you still may be on the line for this mandatory reporting.

Start Working on your Data Breach Reporting Plan Now

When you get that call that hackers have broken in, dealing with the immediate threat will be disruptive enough. You don’t want to be scrambling to figure out if this breach counts as reportable, if and how you’re going to get the word to the individuals affected, and how you’re going to record the nature of the incident and your reaction to it, and how you'll avoid taking that $100,000 fine.

Head this headache off now while you have the luxury of dedicating your time and resources to draw up a robust, reliable plan.

  • What criteria must be met to consider a data breach reportable under PIPEDA?
  • What counts as data you’re under control of?
  • What would be the reasonable threshold for reporting?
  • In what ways could a breach of your sets of data be damaging to those individuals the data is about?
  • When is the right time to report the breach, both to the Office of the Privacy Commissioner, and the individuals?
  • What format should the report and your internal records take?

Answering these questions now will save you so much pain (and money!) later and leave you freer to focus on resolving the more immediate crisis.

CrucialLogics is a Microsoft Gold Partner. We’re experts on IT security. If you need a hand understanding these security issues and minimizing the risk of data breaches, get in contact here. If you’re a business owner or leader, you’ll want to check out this page.