<div dir="ltr"><a href="http://www.mondaq.com/canada/x/574878/data+protection/Mandatory+Data+Breach+Notification+Is+Coming+Is+Your+Organization+Rea">http://www.mondaq.com/canada/x/574878/data+protection/Mandatory+Data+Breach+Notification+Is+Coming+Is+Your+Organization+Rea</a><br><br><p>The <em>Digital Privacy Act</em> amends the <em>Personal
Information Protection and Electronic Documents Act
("PIPEDA")</em> in several key ways. While most of the
provisions of the <em>Digital Privacy Act</em> came into force in
June 2015, those relating to breach reporting, notification and
record keeping are anticipated to come into force later this year
once the associated Regulations come into force.</p>
<p>We provide below an overview of these changes and what
organizations should be doing to ensure they comply.</p>
<h3>What Are the Key Changes?</h3>
<h3>1. Mandatory Data Breach Notification</h3>
<p>Imagine a scenario where an employee loses a corporate laptop
containing customer information at a trade show. Once the
regulations are adopted, the corporation will be required to not
only inform the Office of the Privacy Commissioner (the
"Commissioner"), but may also be required to inform the
customers whose information was lost, potentially increasing the
corporation's litigation exposure as a result of the
incident.</p>
<p>In cases where an organization reasonably believes that a breach
of its security measures creates "a real risk of significant
harm to an individual," mandatory data breach notification
requirements will be enforced under section 10.1 of
<em>PIPEDA</em>. This assessment will be based on the sensitivity
of the personal information that was compromised; the probability
that the personal information has been, is being or will be
misused; and "any other prescribed factor."</p>
<p>"Significant harm" is defined in a broad manner and
includes (among other harms) bodily harm, humiliation, damage to
reputation or relationships, financial loss and identity theft.</p>
<p>The notification to affected individuals must be
"conspicuous," must be given directly to the individual
provided it is feasible to do so, and must be given as soon as
feasible. The notification must allow the individual to understand
the significance of the breach and to take whatever steps possible
to mitigate or reduce the risk of harm.</p>
<p>Also under PIPEDA , where notice is given to affected
individuals, the Act will require organizations to notify other
organizations, such as government institutions and credit bureaus,
as soon as feasible, if the notifying organization believes that
the other organization can reduce risks or mitigate harm. These
disclosures will not require consent.</p>
<h3>2. Security Breach Logs</h3>
<p>Another key change will be that organizations will be required
to keep records of all security breaches involving personal
information. While it is currently unclear what level of
materiality will require logging requirements, what is clear is
that the Commissioner will have the right to request and review
these records at any time.</p>
<h3>3. Stiff Penalties for Non-Compliance</h3>
<p>In the most extreme cases, fines of up to $100,000 may be
imposed for knowingly violating the mandatory breach notification
requirements or breach record keeping requirements. Since the
Regulations have not yet been finalized, it is unclear at this time
whether a violation will include a single incident (e.g. a single
failure to notify all individuals) or each incident (e.g. each
failure to notify each individual). What is clear is that the
Commissioner now has the ability to impose significant fines for
non-compliance.</p></div>