• About
  • Offices
  • Careers
  • Students
  • Alumni
Background Image
Logo Bennett Jones
  • People
  • Expertise
  • Resources
  • Search
  • Menu
  • Search Mobile
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z All

FEATURED AREAS

Energy
Funds & Finance
Mining
Capital Projects
All Industries
Crisis & Risk Management
Environmental, Social & Governance
Governmental Affairs & Public Policy
All Practices
Insights
Media
Events
Subscribe
COVID-19 Resource Centre
Business Law Talks Podcast
Kickstart
New Energy Economy Series
People
Featured Areas
All Practices
All Industries
About
Offices
Careers
Insights
Events
Search
Search
 

Mandatory Breach Notification Across Canada

April 04, 2018

Written by Martin P.J. Kratz, QC

By Order in Council 2018-0369 on March 26, 2018, mandatory breach notification under the federal Personal Information Protection and Electronic Documents Act (PIPEDA), comes in force November 1, 2018, for all entities subject to its jurisdiction.

The PIPEDA rules follow Alberta’s leadership, which has had mandatory breach notification for eight years. In Canada, provincial health privacy laws in Ontario, New Brunswick and Newfoundland and Labrador also contain reporting requirements. Most U.S. states have mandatory breach notification requirements. It is recognized that notification of the affected individuals is a key factor in mitigation of risk in instances of cyber breach.

The national mandatory breach notification rules includes a mandatory requirement for organizations to give notice to affected individuals and to the Office of the Federal Privacy Commissioner about data breaches where it is reasonable to believe that the breach creates a "real risk of significant harm to the individual." Unlike Alberta’s law, PIPEDA provides for some factors relevant to consider in determining whether there is a "real risk of significant harm", and what constitutes "significant harm". Under PIPEDA "significant harm" includes, among other things, humiliation, damage to reputation or relationships and identity theft. A "real risk" requires consideration of the sensitivity of the information, the probability of misuse and other factors.

The notification under PIPEDA is to be given "as soon as possible" after the breach has occurred. Under regulation, the specific content required of both a breach notification to the Federal Privacy Commissioner and to affected individuals has been specified.

Unlike the Alberta law, PIPEDA also requires where notification has been provided to individuals that the organization may be required to notify other organizations and the government where such notifications may reduce risks or mitigate harm. PIPEDA will also require organizations to keep and maintain records of every breach of safeguards involving personal information under their control. The Federal Commission can require an organization to provide a copy of such records to the Commissioner.

Organizations preparing for cyber breaches should contemplate that breach notification can be risk mitigating and will as of November 1, 2018, be mandatory for many organizations in Canada.

Notification responsibilities will arise under law and under many other relationships, for example, with insurers and under financing covenants. Evidence from a study of cyber breaches show that time and money can be saved if an organization has assessed its notification responsibilities before an incident has occurred. Now is the time to consider your notification plan.

Read the New Energy Economy Series

Related Links

  • Insights
  • Media
  • Subscribe

Related Expertise

  • Cybersecurity
  • Privacy & Data Protection

Recent Posts

Speaking Engagements

Ranjan Agarwal: Fireside Chat With Class Actions Bench and Bar

March 10, 2021
       

Speaking Engagements

Canadian SPACs and IPOs for Israeli Tech Companies

March 09, 2021
       

Speaking Engagements

Ranjan Agarwal on Motions Advocacy

March 04, 2021
       

Articles

Michael Kergin on Trudeau and Biden: Off to a Good Start

February 26, 2021
       

In the News

David Dodge and Michael Horgan in Globe and Mail on Fiscal Anchors

February 24, 2021
       

Speaking Engagements

EPC Contract: Love it or Leave it

February 24, 2021
       

Articles

Enforcing Standard-Form Arbitration Agreements in Class Actions: Lessons from the Uber Saga in Canada

February 23, 2021
       

Announcements

Bennett Jones in Chambers Global 2021

February 22, 2021
       

Articles

Michael Smith on 5 Lists Every In-House Lawyer Can Keep

February 19, 2021
       

The firm that businesses trust with their most complex legal matters.

  • Privacy Policy
  • Disclaimer
  • Terms of Use

© Bennett Jones LLP 2021. All rights reserved. Bennett Jones refers collectively to the Canadian legal practice of Bennett Jones LLP and the international legal practices and consulting activities of various entities which are associated with Bennett Jones LLP

Logo Bennett Jones