Data Breach Disclosure Laws May Be Coming To Canada

Just when Canadian businesses thought governments might be done with legislating them to oblivion, word comes of even more oversight that may be coming soon to your business:

In the US, Bill S-4 would amend that country’s Personal Information and Electronic Data Act. The intent is to impose on businesses a requirement to notify individuals of breaches in the security of personal information where there is the potential for significant harm. The individuals affected need to be notified, as does the privacy commissioner. Failure to notify carries a fine up to $100,000.00.

As is discussed in the article, businesses in Canada already voluntarily disclose to individuals and the authorities when a breach is significant and is a threat to the customer’s data.

Is legislation seriously going to change the assessment made by a business as to the need to disclose? Can businesses not be given some credit (pun intended) that they have other interests beside not being fined to ensure that breaches do not occur and that customers are notified if it does happen – such as customer retention, avoiding negative publicity, insurance costs and the bottom line?

Given the usual “how can it hurt” attitude of the electorate and the desire of government to be seen as creating jobs (through increased governance), we should expect to see such legislation here in Canada soon enough.

Paul H. Voorn
Andriessen & Associates, Professional Corp.