Canada has no shortage of data breaches. Last year, it suffered 276,000 record breaches across 57 incidents – and that number is artificially low, claim some, because these are only the publicly reported breaches. Companies probably aren’t reporting a lot of them.
Today, there is no federal law that mandates it, and precious few provincial ones either. In Alberta, the Personal Information Protection Act says that companies divulge details of data breaches to the privacy commissioner there, who will then decide whether customers should be notified. Manitoba also jumped on board with a similar law in 2013. And unlike Alberta’s law, Manitoba’s avoids a ‘harm threshold’ below which notification isn’t necessary.
There are also some industry-specific regulations mandating the reporting of data breaches to customers. Canada’s healthcare industry has one, for example.
That still leaves a lot of companies immune to breach protection notification laws, though. Should Canada’s Federal government force its companies to notify customers in the event of a data breach?
At a federal level, the Digital Privacy Act (Bill S-4) currently making its way through Parliament could make it mandatory. Under this law, the Federal Privacy Commissioner would get some teeth. It stopped short of full order-making capability, but compliance orders would at least mean that he could ask the courts to impose fines.
Under the law, Canadian companies would also be bound to notify customers and the Commissioner of privacy breaches, although only if they concluded that it placed an individual in harm’s way after reviewing the matter themselves. It’s not as strong as it could be, but it’s a start.
A federal data breach law would put Canada ahead of the US, which still has no such legislation, and which currently deals with data breach notification on a state by state level. Having said that, the White House has pushed for a law to be put in place.
What would a data breach notification law do to the Canadian cybersecurity landscape? For one thing, it might encourage more companies to take out cyber-risk insurance.
Tom Regan, cyber practice leader for insurance broker Marsh, says that data breach notification introduces an element of risk for companies. “We think that there’s an enormous change in the impact of certain types of cyber-risk when regulations require you to disclose it,” he said. “One of the key drivers of cyber risk [insurance] in the US in the past couple of years has been the growing requirement to disclose and talk about these issues.”
The problem, as always, is that the data breach notification stuff is bound together with some more controversial clauses. It comes with lawful access requirements that would increase surveillance capabilities at a time when media concerns about such things are at an all-time high.
This has even given the Federal Privacy Commissioner pause for concern. In his most recent annual report (also his first), he wasted no time in calling out the potential issues in S-4. Nevertheless, the data breach notifications would be a solid step forward, he argued. He echoed those sentiments most recently in an appearance before the Standing Committee on Industry, Science and Technology in BC.
There is often a trade-off when introducing legislation. Policymakers may include things that different communities want, and those things are often at odds with each other. Is it worth giving up something that privacy advocates care about, in exchange for getting something back?