Is Canada ready for a new data breach notification regime?

Businesses in Canada are going to have to get serious about figuring out how to respond to a data breach.

This week’s massive Equifax breach is a reminder of the stakes at play when dealing with users’ data. The looming implementation of proposed regulations under Canada’s Digital Privacy Act should also stiffen their resolve.

After Equifax’ systems were hacked, data on as many as 143 million Americans — and possibly a number of Canadians and others — was potentially compromised.

The fallout has the U.S. Congress demanding answers, the New York Attorney General’s office has launched an investigation, and class action lawsuits are being filed against it across America.

One application for a class action, filed this week in a New York courtroom, contends that Equifax acted negligently by taking more than a full month to report the breach to their consumers on September 7, after learning of it on July 29.

What’s more, the application notes, “[u]nlike other data breaches, not all of the people affected by the Equifax breach may be aware that they're customers of the company.” As a credit monitoring company, Equifax receives its information from financial institutions.

Another application, filed in Texas, argues that Equifax’s cyber security practises were lacking. “Equifax knew or should have known that its data and security systems did not adequately protect … consumer data,” the application alleges.

Canadians are getting in on the action, too. The Information and Privacy Commissioner of Canada has indicated its office will be looking into the matter. Class action lawyer Tony Merchant — of the Merchant Law Group — has filed application for a class action in British Columbia, Quebec, and Ontario.

Bernice Karn, a partner at Cassels Brock who specialises in information technology law, warns  businesses to gird themselves. “You can never do enough to guard against cyber attacks. They’re going to happen. They’re going to happen with more and more frequency,” Karn told CBA National.

“We’re all kind of living in a fool’s paradise if you think you can completely block yourself from this type of thing affecting your company or organization.”

Even so, panicking or over-correcting is the wrong course of action, she says. A breach might at first look bad. Once the forensic auditors show up, however, an apparent data breach may, in fact, turn out to be a failed hack.

“Not all data breaches necessarily involve the compromise of personal information. You can rush to judgment,” Karn says. “Take a step back.”

At the same time, organizations subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are required to implement appropriate safeguards, and soon will have to follow data breach notification requirements, that were passed into law in 2015, particularly where it is reasonable to believe that a breach creates a real risk of “significant harm.” According to Nathalie David and Samuel Robichon at Clyde & Co’s Montreal office, “significant harm” covers “a range of scenarios, from humiliation and reputational damage loss to property and financial losses.”

But it’s hard to know what the threshhold is, and new reporting requirements are potentially onerous for corporations. “Clients are looking for binary analysis: If it’s this, we need to notify, if it’s that, we don’t need to notify,” Karn says, but adds: “I don’t think any legislation can address this properly.”

In addition to reporting, the law will require companies to meticulously document breaches.  That is, when the data breach provisions come into force. And that won’t happen until the federal government passes regulations prescribing how notices are to be made.

At long last, it published proposed regulations for comment earlier this month. The Gazette notice indicates that the government is considering boosting the reporting requirements, forcing companies to include assessments of the potential harm caused by these breaches.

But Karn remains unimpressed. “When I read it, I thought to myself: ‘We’ve been waiting this long for this?”

It’s still anyone’s guess when the regulations will come into force. The notice in the Gazette reads states that organizations will be given “time to adjust their policies and procedures accordingly” to properly “track and record all breaches of security safeguards that they experience.”

Given that and the 30 day consultation period, Karn doesn’t see these regulations coming into force in 2017. “I’m open to being pleasantly surprised,” she says.

If provinces are getting anxious, or worried about the impact of the federal regulations, they’re more than welcome to adopt their own regulations on data breaches, given that PIPEDA can be supplanted by provincial legislation. Karn doesn’t see that happening.

“We’ve had PIPEDA now for, what, 16 years? We’ve had three provinces that have enacted their own legislation,” she notes. Of those, only Alberta has mandatory data breach notification.