Mandatory Breach Reporting and Notification Now Law in Canada

Mandatory breach reporting and notification is now required by law in Canada.

Under the new regulations for organizations subject to the Personal Information Protection and Electronic Documents Act, which came into force on November 1, 2018, organizations must:

• Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm"
• Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm
• Keep records of all breaches of security safeguards that affect the personal information under their control
• Keep those records for two years

"Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information," says Canadian Privacy Commissioner Daniel Therrien.

The Office of the Privacy Commissioner of Canada has published guidance to help businesses comply with the new requirements, as well as a new reporting form.

An unfunded mandate for tracking breach report compliance?

Here's something interesting we noticed in the Privacy Commissioner's statement about the new Canadian breach notification law: His office apparently views it as an unfunded mandate.

"... the government has not provided the Privacy Commissioner’s office with resources to analyze breach reports, provide advice and verify compliance. As a result, the office’s work will be somewhat superficial and the regime will be less effective in protecting privacy."

Doesn't it sound like companies that want to skirt the law may be able to get away with it? Perhaps.

The United States still relies on state-by-state breach reporting and notification requirements. As this breach notification requirement map shows, it's a confusing patchwork of laws for cybersecurity and compliance teams to follow:

[MORE: U.S. State Breach Notification Law Map]