Canada puts teeth into digital privacy law
(Editor’s note: As several U.S. states move to tighten data loss disclosure laws, on June 18 Canada expanded its federal privacy law. In this guest essay, Paul Dawson, cyber liability attorney at Dolden Wallace Folick LLP, outlines the implications.)
By Paul Dawson, Special for ThirdCertainty
Passage of the Digital Privacy Act (DPA) will both expand the powers of Canada’s privacy commissioner and increase the burden on businesses to ensure they notify people whose personal information has been exposed as a result of a data breach. The cost to Canadian businesses resulting from data breaches are likely to increase dramatically, as will demand for cyber insurance to cover those costs.
The biggest change arising from the DPA has yet to be felt, but will likely result in an increase in first-party claims under cyber policies. The DPA inserts into the Personal Information Protection and Electronic Documents Act (PIPEDA) a new requirement that organizations must report to the privacy commissioner any data breach involving personal information. This obligation is triggered if it is reasonable to believe that the breach creates a “real risk of significant harm to an individual.”
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
To determine whether there is a “real risk of significant harm,” the sensitivity of the breached information and the likelihood that the information has or will be misused must be considered—often at considerable cost. .
Furthermore, the organization also is required to notify individuals of a breach that might reasonably create a real risk of “significant harm.” This can include humiliation, damage to reputation or relationships, financial loss, loss of employment, identity theft, or negative effects on credit records.
Stakes raised for noncompliance
The notice must be sufficiently detailed to allow the victim to understand the significance of the breach and take steps to minimize its impact. This requirement can, in certain circumstances, cost hundreds of thousands of dollars. Hence, organizations will obtain cyber insurance in order to pass these costs onto their insurer, making these policies more popular in the insurance market.
The DPA also increases the regulatory burden on Canadian businesses and organizations subject to PIPEDA. The statute already set principles on when and how organizations must obtain an individual’s consent before collecting, using or disclosing personal information; the DPA now says that such consent is only valid if the organization reasonably believes that the individual would understand the nature, purpose and consequences of granting consent.
However, insurers will be particularly interested to note that the DPA also creates an exception: personal information may now be collected, used and disclosed without consent if it is contained in a witness statement obtained to investigate or settle an insurance claim.
The new reality
The mandatory breach notice provisions in the DPA will come into force only after further consultation with businesses and other stakeholders—but they will fundamentally transform privacy law in Canada. Until now, the privacy commissioner only became engaged when someone complained that an organization had breached the law. Now organizations themselves must report breaches to the commissioner and to affected individuals.
When the new mandatory notice provisions are in place, data breaches will be much more likely to become publicly known; will trigger legal and business costs in providing information and responses to the commissioner; and will trigger privacy-related litigation.
The DPA is expected to take effect sometime this summer. However, Canadian businesses—and their insurers—should begin examining immediately how the DPA will affect their commercial and underwriting practices. Mandatory notice provisions have been in place in the United States for years, where public notice programs have proven very expensive, and often have triggered class-action lawsuits. That reality is likely coming soon to Canada and with profound effect.
More on emerging privacy concerns
A call for a data breach warning label
Former FTC consumer chief: privacy regs needed
Use of Verizon ‘zombie cookies’ halted