Canada’s new data breach notification rules: What you need to know

November 1, 2018

All businesses, big and small, need to be ready for Canada’s new mandatory data breach notification rules under the Personal Information Protection and Electronic Documents Act (“PIPEDA”).  These changes came into effect on November 1, 2018.   Failure to comply with the new rules – including failing to report breaches that pose a real risk of significant harm or deliberately failing to keep records related to such data breaches – may result in fines of up to $100,000.  To comply with the rules and avoid a potential fine, businesses are encouraged to consider the following steps if they believe they have experienced a breach.

Limit the breach: identify, investigate, contain, and assemble a response team.

Potential steps to immediately contain the breach include stopping the unauthorized practice, addressing breached servers, changing passwords, and/or correcting weaknesses in security/completing program updates.  Be sure to retain any evidence that may help determine the cause of the breach while conducting an initial investigation to determine whether a more detailed inquiry is necessary. Assemble a response team of key people within the organization that have the knowledge, access, and authority to deal with the issue(s) at hand. Members could include:

  • Chief Operating Officer or Operations Manager
  • Data Privacy Officer
  • Senior IT Staff / Chief Technology Officer
  • Chief Marketing Officer and/or Communications
  • Legal Counsel

Determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach.

To determine “real risk”, consider:

  • The sensitivity of the personal information involved in the breach;
  • The probability that the personal information has been, is being, or will be misused; and
  • Other factors that may be set by regulation.

“Significant harm” to the individual includes:

  • Bodily harm, financial loss, property damage
  • Humiliation
  • Identity theft, negative effects to credit record
  • Damage to reputation or relationships
  • Loss of employment or business opportunities

If the breach poses a real risk of significant harm, consult with your response team and notify the commissioner, affected individuals, and other organizations.

The Commissioner

When: As soon as feasible.
What: Information about the breach and steps that have been taken as a result of the breach to reduce the risk of harm to affected individuals.
How: In writing, sent securely.

Affected Individuals

When: As soon as feasible.
What: Information about the breach and steps that have been taken as a result of the breach to reduce the risk of harm to affected individuals.
How: Organizations must generally notify affected individuals directly.

Any other organization that may be able to mitigate harm to affected individuals.

Maintain records.

Organizations must keep records of every security safeguard breach involving personal information, even if they do not pose a real risk of significant harm to an individual.  These records must be maintained for a period of 24 months after determining that a breach has occurred.

The Cybersecurity and Data Privacy Practice Group at Cox & Palmer is happy to assist businesses and organizations prepare for and respond to the roll-out of Canada’s new data breach notification requirements.


For a printable PDF version of this publication, please click the link below:
Canada’s new data breach notification rules: What you need to know

Related Articles

New Brunswick Court of Appeal Rules on Child Support Obligations of Shared Parents

The New Brunswick Court of Appeal’s decision in ASL v LSL, 2020 NBCA 15, reaffirmed the high standard on judges determining child support obligations for parents with equal amounts of parenting time. Background In ASL, the parties had a separation agreement, signed shortly after their separation, which provided the parents with roughly equal parenting time […]

read more

Getting it Right on Human Rights

Regardless of size or sector, unionized or non-unionized, all provincially regulated employers in Newfoundland and Labrador are required to abide by the Human Rights Act, 2010 (the “Act”). It should also be noted, however, that if your business also operates outside of NL, you are required to abide by the human rights legislation in that […]

read more

Required to Register as a Lobbyist? Another 2020 Surprise for Business.

2020 has been marked by a series of significant public health and economic actions by both the federal and provincial governments in Canada in response to the COVID-19 pandemic.
In developing these policies, governments engaged and continue to engage with business groups, unions, social groups, and non-governmental agencies in Canada. They have received and continue to receive solicited and unsolicited representations from the public, including businesses, as the policies and programs evolve.

read more
view all
Cox & Palmer publications are intended to provide information of a general nature only and not legal advice. The information presented is current to the date of publication and may be subject to change following the publication date.