Lexpert magazine features articles and columns on developments in legal practice management, deals and lawsuits of interest in Canada, the law and business issues of interest to legal professionals and businesses that purchase legal services.
Issue link: https://digital.carswellmedia.com/i/1045898
LEXPERT MAGAZINE | NOVEMBER/DECEMBER 2018 35 S ince the EU's General Data Protec- tion Regulation ("GDPR") came into force in May 2018, the gov- ernment of Canada has decided to align its security breach legislation with these new EU standards. Thus, as of November 1 st 2018, organiza- tions and businesses in Canada will be required to comply with sections 10.1 to 10.3 of the Personal Information Protection and Electronic Documents Act ("PIPEDA"), as well as with the new Breach of Security Safeguards Regulations, which create a federal mandatory breach reporting regime for Canada's private sector. However, a preliminary issue with respect to the Sponsored by Privacy Breach Reporting: Supplying the Stick for Your Own Beating? By: Guillaume Laberge, Lavery Lawyers application of these new provisions may arise regarding the ex- tent to which they ap- ply to private sector organizations within provinces that have ad- opted legislation which the federal govern- ment has found to be "substantially similar" to PIPEDA. These new regula- tions, although ap- plauded for providing increased protection for personal informa- tion, also have the cor- ollary effect of impos- ing several hefty obli- gations on Canadian businesses and organi- zations. Such obligations include the requirement to: (i) conduct a risk assessment to determine whether the breach poses a "real risk of significant harm" to af- fected individuals; (ii) give notice to affected individuals and the Privacy Commissioner "as soon as feasible"; and (iii) keep re- cords of all breaches (even those that do not meet the reporting threshold) for at least 24 months. The record keeping policy is an important compliance mech- anism of the new regulations and will inevitably result in in- creased costs and new challenges for businesses and organizations dealing with private information. It seems undeniable that these new regulations will also increase the already growing interest in cyber-risk insurance in Canada. However, it is very likely that pro- spective cyber liability insurers will demand access to the breach records of their future clients in order to properly assess the risk. Businesses considering the possi- bility of outsourcing certain ser- vices to a service provider may also consider requesting access to the service provider's breach records as part of their due dili- gence. Likewise, parties to a cor- porate transaction may also wish to review the breach records to help determine the risks associ- ated with the transaction. One thing is now certain: de- nial is no longer an option for cyber security risk management. Businesses will have to ensure that they adopt safeguard mea- sures and internal procedures that will allow them to adequate- ly detect, react to, and defuse security breaches. Technology security specialists and lawyers will be valuable allies to help or- ganizations and businesses navi- gate these new waters.