Canada Releases New Data Breach Regulations>
JD Surpa – Brad Davis
April 18, 2018, Canada unveiled the Breach of Security Safeguard Regulations: SOR/2018-64 (âRegulationsâ). To highlight some of the finer points, in order to trigger notification requirements, the Regulations require organizations to determine if a data breach poses a âreal risk of significant harmâ to any individual had their information accessed in the breach.  If an organization meets this harm threshold, then the affected organization must notify the Privacy Commissioner of Canada, as well as the affected individuals.  As far as reporting, the notification to the Commissioner must describe the circumstances of the breach, the time period, the personal information accessed, the number of individuals compromised, steps taken to reduce harm to those individuals, steps taken to notify those individuals and an organization point of contact who can answer any follow-up questions regarding the breach. The notification to the individuals requires the affected organization to disclose similar information.  As far as the communication mechanism of the individual notification, the Regulations give affected organizations flexibility to use any form of communication that a reasonable person would consider appropriate, such as phone, email or advertisement. Interestingly, rather than specifying a strict time frame for notification, the Regulations require such notification to be completed âas soon as feasible.â In providing this flexibility, the Cabinet recognized that it takes time for organizations to gather all necessary information. Lastly, the Regulations establish a mandatory minimum of two years for the maintenance of all records related to the breach.
Link: https://www.jdsupra.com/legalnews/canada-releases-new-data-breach-87919/