Privacy Law Changes Coming This Year

    Mar 07, 2017

    Thanks to changes to Canadian privacy law and recent guidance from the Canadian Securities Administrators (CSA), Canadian companies soon will have to start disclosing more about cyberattacks than they have in the past, as well as be more proactive about revealing specific risks that could result in future attacks.

    In June 2015, the Canadian government passed the Digital Privacy Act. Among other things, it requires that data breach notification and reporting regulations become part of Canadian privacy law. According to CBC News and an Innovation, Science and Electronic Development spokesperson, the government expects to publish draft regulations "sometime in early 2017," but it has not announced a date when the final regulations will be published or become law. However, some in the industry say they expect the regulations to take effect by the fourth quarter of this year.

    After that, organizations will be required to report all breaches and notify users of any breach that poses "a real risk or significant harm."

    According to CBC News, that would include any information that could be used to commit fraud or a social engineering attack – for example, names and addresses, credit card data, security questions and passwords, or past orders on an online shopping site. But it could also include information that could humiliate a person or damage his or her reputation.

    Companies also will have to reveal more about how they are protecting individuals’ data. If data is lost or stolen, companies will have to tell the individual, or risk a fine. They will no longer be allowed to hide attacks.

    Failure to report a breach or notify users when required could result in a fine of up to $100,000, "a step in the right direction," Imran Ahmad, a partner at the law firm Miller Thomson, who specializes in cybersecurity, told CBC News.

    Cybersecurity experts say there are a significant number of breaches that never get reported because there's currently no obligation to report them, but that will start to change later this year. 

    Kevvie Fowler, KPMG's national leader of cyber response in Canada, told CBC News that he expects the number of reported breaches will "skyrocket" this year as a result of the new regulation. 

    And with more reported breaches, there will be more angry victims, meaning a likely increase in the number of companies being sued, he said.

    According to Fowler, the hope is that more transparency will lead to better protections and fewer breaches. And "there should be a large amount of information that floods the internet from these organizations" this year, he said.

    In the meantime, the CSA is working to ensure that publicly traded Canadian companies are more transparent about their cybersecurity practices before they get hacked – and not just after a breach.  

    According to CBC News, the CSA recently reviewed how 240 publicly traded companies in Canada talked about cybersecurity in their financial filings, including the potential impact of a cyberattack, information at risk, who handles the company's cybersecurity, and any disclosures of previous breaches or attacks.

    The CSA found that 40% of companies failed to address cybersecurity risks in their disclosures. And, in general, it found that filings tend to use generic, boilerplate language, even though different types of companies face different types of cyberattacks or threats and hold different types of data with varying degrees of risk.

    In its guidance note, the CSA says it expects issuers "to provide risk disclosure that is as detailed and entity-specific as possible" and that it will be monitoring companies for compliance.

    "I think the next step is probably going to be, what is the enforcement action for non-compliance?" Ahmad said. "We're not there yet, but that's where we're headed."



     This monthly advisory contains brief summaries of recent legislative and regulatory issues that may affect the management of records and information in Canada.

     Want to sign up to receive an e-mail version of the Canadian Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International