Expanded legislation affects notifications, consent, record-keeping and compliance
Canada is increasingly cracking down hard on businesses to step up and protect the personal information of individuals, and stringent new compliance obligations under The Digital Privacy Act (DPA) are expected to be enforced by the end of 2017.
With penalties of up to $100,000 for violations of the new rules, the regulation further raises the stakes on cyber-related risk. And it makes a good case: Now is the time to evaluate and update your cyber security related programs to avoid running afoul of regulators and jeopardizing both your customers and business.
The Digital Privacy Act (DPA), passed in 2015, amends and expands Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) in several significant respects:
Breach notifications expanded
One area of concern is the expansion is with of the mandatory notification requirements to individuals whose personal data is breached. Notification is required to other organizations that might be affected as well as Canada’s Privacy Commissioner. The rules require timely notification (“as soon as feasible”) after a breach occurs. Importantly, notifications to individuals must explain the significance of the occurrence and what they can do to lessen the risk the breach might pose.
Consent rules require more detail
The Digital Privacy Act (DPA) also has expanded consent rules. It’s now not enough to gain individuals’ consent before their information is gathered or shared. They must be told about the information being collected, how it’s used and with whom it’s being shared. Children and vulnerable individuals have specific requirements. Among the exceptions: when managing employees, fraud investigations and for work product information. Certain business transactions also are excluded.
Record keeping mandated
It’s now mandatory for records to be kept of all breaches affecting personal information – whether or not they involve a “real risk of significant harm.” This is important because not only must they be provided to the Commissioner on request, but they may be required in discovery by litigants. Insurers may also request them to help assess risk and set premiums for cyber policies.
The compliance agreement option
In addition to fines of between $10,000 and $100,000 for violating these requirements, the new option of a “compliance” agreement with the Commissioner has been added. This has positive and negative aspects. On the plus side, it’s a “safe harbor, preventing the matter from being brought before a federal court by the Commissioner. That safety is limited, however, as it doesn’t prevent affected individuals from such legal action themselves.
Your best protection moving forward is to have the systems, processes and protocols in place that reduce the risk of cyber threats to begin with – and increase your cyber resiliency. This can take various forms, from training and education on cyber issues to threat analysis, data breach and cyber response programs and network evaluations. What’s key to protecting your business and employees is having the right cyber insurance in place should a breach occur or you find yourself fined by regulators for non-compliance. Your HUB broker is in a good position to help you navigate these new rules and ensure you’re protected from rigorous fines and penalties.