Canada puts teeth into digital privacy law

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: As sev­er­al U.S. states move to tight­en data loss dis­clo­sure laws, on June 18 Cana­da expand­ed its fed­er­al pri­va­cy law. In this guest essay, Paul Daw­son, cyber lia­bil­i­ty attor­ney at Dold­en Wal­lace Folick LLP, out­lines the implications.)

By Paul Daw­son, Spe­cial for ThirdCertainty

Pas­sage of the Dig­i­tal Pri­va­cy Act (DPA) will both expand the pow­ers of Canada’s pri­va­cy com­mis­sion­er and increase the bur­den on busi­ness­es to ensure they noti­fy peo­ple whose per­son­al infor­ma­tion has been exposed as a result of a data breach. The cost to Cana­di­an busi­ness­es result­ing from data breach­es are like­ly to increase dra­mat­i­cal­ly, as will demand for cyber insur­ance to cov­er those costs.

The biggest change aris­ing from the DPA has yet to be felt, but will like­ly result in an increase in first-par­ty claims under cyber poli­cies. The DPA inserts into the Per­son­al Infor­ma­tion Pro­tec­tion and Elec­tron­ic Doc­u­ments Act (PIPEDA) a new require­ment that orga­ni­za­tions must report to the pri­va­cy com­mis­sion­er any data breach involv­ing per­son­al infor­ma­tion. This oblig­a­tion is trig­gered if it is rea­son­able to believe that the breach cre­ates a “real risk of sig­nif­i­cant harm to an individual.”

Secu­ri­ty & Pri­va­cy Week­ly News Roundup: Stay informed of key pat­terns and trends

To deter­mine whether there is a “real risk of sig­nif­i­cant harm,” the sen­si­tiv­i­ty of the breached infor­ma­tion and the like­li­hood that the infor­ma­tion has or will be mis­used must be considered—often at con­sid­er­able cost. .

Fur­ther­more, the orga­ni­za­tion also is required to noti­fy indi­vid­u­als of a breach that might rea­son­ably cre­ate a real risk of “sig­nif­i­cant harm.” This can include humil­i­a­tion, dam­age to rep­u­ta­tion or rela­tion­ships, finan­cial loss, loss of employ­ment, iden­ti­ty theft, or neg­a­tive effects on cred­it records.

Stakes raised for noncompliance

The notice must be suf­fi­cient­ly detailed to allow the vic­tim to under­stand the sig­nif­i­cance of the breach and take steps to min­i­mize its impact. This require­ment can, in cer­tain cir­cum­stances, cost hun­dreds of thou­sands of dol­lars. Hence, orga­ni­za­tions will obtain cyber insur­ance in order to pass these costs onto their insur­er, mak­ing these poli­cies more pop­u­lar in the insur­ance market.

The DPA also increas­es the reg­u­la­to­ry bur­den on Cana­di­an busi­ness­es and orga­ni­za­tions sub­ject to PIPEDA. The statute already set prin­ci­ples on when and how orga­ni­za­tions must obtain an individual’s con­sent before col­lect­ing, using or dis­clos­ing per­son­al infor­ma­tion; the DPA now says that such con­sent is only valid if the orga­ni­za­tion rea­son­ably believes that the indi­vid­ual would under­stand the nature, pur­pose and con­se­quences of grant­i­ng consent.

How­ev­er, insur­ers will be par­tic­u­lar­ly inter­est­ed to note that the DPA also cre­ates an excep­tion: per­son­al infor­ma­tion may now be col­lect­ed, used and dis­closed with­out con­sent if it is con­tained in a wit­ness state­ment obtained to inves­ti­gate or set­tle an insur­ance claim.

The new reality

The manda­to­ry breach notice pro­vi­sions in the DPA will come into force only after fur­ther con­sul­ta­tion with busi­ness­es and oth­er stakeholders—but they will fun­da­men­tal­ly trans­form pri­va­cy law in Cana­da. Until now, the pri­va­cy com­mis­sion­er only became engaged when some­one com­plained that an orga­ni­za­tion had breached the law. Now orga­ni­za­tions them­selves must report breach­es to the com­mis­sion­er and to affect­ed individuals.

When the new manda­to­ry notice pro­vi­sions are in place, data breach­es will be much more like­ly to become pub­licly known; will trig­ger legal and busi­ness costs in pro­vid­ing infor­ma­tion and respons­es to the com­mis­sion­er; and will trig­ger pri­va­cy-relat­ed litigation.

The DPA is expect­ed to take effect some­time this sum­mer. How­ev­er, Cana­di­an businesses—and their insurers—should begin exam­in­ing imme­di­ate­ly how the DPA will affect their com­mer­cial and under­writ­ing prac­tices. Manda­to­ry notice pro­vi­sions have been in place in the Unit­ed States for years, where pub­lic notice pro­grams have proven very expen­sive, and often have trig­gered class-action law­suits. That real­i­ty is like­ly com­ing soon to Cana­da and with pro­found effect.

More on emerg­ing pri­va­cy concerns
A call for a data breach warn­ing label
For­mer FTC con­sumer chief: pri­va­cy regs needed
Use of Ver­i­zon ‘zom­bie cook­ies’ halted

Posted in Data Privacy, News & Analysis