The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

'O Canada, Time To Report Your Breach!

See Article Here

Canada's new data breach law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Once again another country beats the United States in enacting privacy protections for its citizens.

The law states that “an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a ‘real risk of significant harm’ to an individual, regardless of the number of individuals affected.” That means if you do business in Canada and you lose one record of a Canadian citizen you have to report that loss. In addition, the law puts the onus on the organization that controls the data to report. No third-party contractual provisions that put the onus on the vendor here! I warn my clients all the time that no matter how brilliant their attorney is (this of course means me) the responsibility of protecting your data is on you! You cannot get around privacy and cyber security requirements through contracts.

The law also requires there to be a “real risk of significant harm” to the individual(s) affected. This is defined as “bodily harm, humiliation, reputation or relationship damage, loss of employment, business, or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property.”

Lastly, the law requires an organization to keep information for every breach of personal information for two (2) years.

I believe the Canadian law is similar to other requirements placed on organizations that suffer a breach, so I again ask why is it that we can’t enact privacy legislation in the United States?