'O Canada, Time To Report Your Breach!
Canada's new data breach law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), took effect on November 1. Once again another country beats the United States in enacting privacy protections for its citizens.
The law states that “an organization must report and notify individuals of a data breach involving personal information under its control if it reasonably determines the breach creates a ‘real risk of significant harm’ to an individual, regardless of the number of individuals affected.” That means if you do business in Canada and you lose one record of a Canadian citizen you have to report that loss. In addition, the law puts the onus on the organization that controls the data to report. No third-party contractual provisions that put the onus on the vendor here! I warn my clients all the time that no matter how brilliant their attorney is (this of course means me) the responsibility of protecting your data is on you! You cannot get around privacy and cyber security requirements through contracts.
The law also requires there to be a “real risk of significant harm” to the individual(s) affected. This is defined as “bodily harm, humiliation, reputation or relationship damage, loss of employment, business, or professional opportunities, financial loss, identity theft, negative effects on a credit record, and damage to or loss of property.”
Lastly, the law requires an organization to keep information for every breach of personal information for two (2) years.
I believe the Canadian law is similar to other requirements placed on organizations that suffer a breach, so I again ask why is it that we can’t enact privacy legislation in the United States?