New Federal Regulations Increase Transparency Surrounding Privacy Breaches

April 9, 2018

It seems like it’s about time for the government to address privacy with a bit more scrutiny, doesn’t it?

Personal information on the internet is incredibly important because it’s an incredibly valuable resource for businesses. You may have heard that “data is the new oil,” and that might be true—but not because it’s worth a lot of money. It’s because leaks happen easily, all the time, and are far too easily pushed to the side.

The Canadian government is getting a bit more serious about digital privacy with the announcement that they are pushing through regulations to force companies into telling their customers when personal information has been compromised. The new regulations will come into effect on November 1.

It might be shocking that is not already a law, considering the number of hacks that have taken place over the last few years, like Uber, Equifax, Yahoo, Nissan and more. But the Digital Privacy Act that became law in 2015 had a few provisions that were not immediately implemented, and now Canadians are finally seeing the government enact these authorizations that will make companies more accountable when a breach occurs.

The soon-to-be-enacted provisions set forth what kind of information a company must provide when a leak happens to both a consumer and the privacy commission, and how quickly they have to do it. On the personal level, companies must alert Canadians when there is a “real risk of significant harm,” which is defined as a risk of bodily harm, humiliation, damage to reputation or relationships, loss of employment or professional opportunities, financial loss, identity theft, negative effects on credit record or damage to or loss of property.

The notification must also be given as soon as feasible after the breach has been detected. Unfortunately, that has not always been the case considering Uber’s massive breach took over a year to disclose to the public.

In an effort to maintain transparency, the notification to a breach victim must contain some specific details: a description of the breach’s circumstances; when the breach occurred; personal information that may have been leaked; how the company will reduce the risk of harm to the breach victim; steps the victim can take themselves to reduce harm; a way to obtain more information about the breach; and information about an internal complaint process.

All of this information must be delivered to a victim via email, mail, telephone or in-person unless one of three reasons interferes: the cost is far too “prohibitive”; more harm could come to the victim through informing them of details; or if the breached organization does not have contact information for the victim.

Along with the information sent to individuals, a company that has leaked information must address the public and disclose how they were attacked, how many people are at risk, and what they are doing to remedy the situation.

Once all of this happens, the privacy commission can decide to look into the incident formally and launch an investigation—just like they are doing with Facebook and the Canadian company AggregateIQ that allegedly helped the social media giant scrape the data of over 600,000 Canadians and 87 million users.

Privacy is a massive concern right now for Canadians. In the wake of the Facebook scandal, more citizens are looking at ways to protect their information and businesses, but it can be overwhelming. A recent study found that nine out of 10 Canadian companies suffered a breach in 2017, while private companies and the government are both investing massive amounts of money into cybersecurity initiatives through labs and even a dedicated section in the 2018 federal budget.

Other debates around privacy continue to swirl such as the right to be forgotten on the internet. Protecting digital privacy is no small feat, but the government’s steps to improve accountability are a start.