The Lexpert Guides to the Leading US/Canada Cross-Border Corporate and Litigation Lawyers in Canada profiles leading business lawyers and features articles for attorneys and in-house counsel in the US about business law issues in Canada.
Issue link: https://digital.carswellmedia.com/i/597942
www.lexpert.ca | LEXPERT • December 2015 | 35 CYBERCRIME The notice must be sufficiently explicit to allow the individuals to understand the significance of the breach and take whatever remedial steps may be required. • Notify other organizations, including the government, if notification can mitigate the risk resulting from the breach. Failure to comply with the Act's data-breach rules can result in fines of up to C$100,000. PIPEDA's reporting requirements will apply to any organization that collects, uses or discloses personal information in the course of commercial activities, including federal works, undertakings and businesses. Although Ontario, Newfoundland, New Brunswick and Nova Scotia have enacted legislation requiring notification in the event of the compromise of health-related personal information, only Alberta currently has a private sector-wide data-breach notification requirement. In that province, the Personal Information Protection Act (PIPA) requires organizations to notify the Alberta Privacy Commissioner if personal information under their control is ac- cessed without authorization in circumstances in which a reasonable person would consider that there exists a real risk of significant harm to an individual. The Alberta Privacy Commissioner may in turn require the breached entity to notify the affected individuals if he or she deter- mines that there is a real risk of significant harm as a result of unau- thorized access or disclosure. Factors to be considered under PIPA in order to determine whether a real risk of significant harm exists include the number of individuals affected, the maliciousness of the breach, the sensitivity of the information, whether there are indica- tions that personal information was misappropriated for nefarious purposes and the harm that could result. Manitoba passed the Personal Information Protection and Identity Theft Protection Act (PIPITPA). PIPITPA contains a broad breach- notification obligation that will, once in force, require an organiza- tion that collects or uses personal information to notify an individual if personal information in its control or custody is accessed, stolen or lost in an authorized manner. Unlike PIPEDA or PIPA, there is no "real risk of significant harm" threshold. Nor is there any obligation to notify the Privacy Commissioner of a data breach. Although the United States does not currently have a broad- based data breach notification law, on January 12, 2015, President Obama proposed the Personal Data Notification & Protection Act. This legislation would create a federal standard for data-breach no- tification. It would apply to a wide variety of "sensitive personally identifiable information." It would also require notification directly to the individuals concerned and through the media if a security breach creates a risk of harm. If a breached entity determines that a risk of harm exists, it must notify the Federal Trade Commission within 30 days of discovering the breach. Businesses would also be required to notify federal law enforcement and national security au- thorities of a data breach if the sensitive personally identifiable in- formation of more than 5,000 individuals was accessed or acquired or if the intrusion involved a data system containing sensitive per- sonally identifiable information of more than 500,000 persons across the United States. The majority of states have enacted data-breach notification laws applicable to affected individuals resident in such jurisdictions (a complete list of the relevant state laws may be found at www.ncsl.org/ issues-research/telecom/security-breach-notification-laws.aspx). The various state laws are similar, but they do have significant variations, including what constitutes a breach that triggers the obligation to notify. In many jurisdictions within the United States, time is of the essence when reporting data breaches. In addition, companies in industries such as banking and financial services, insurance and healthcare may be subject to certain state and federal industry-specific breach notification requirements. Regulatory authorities at both state and federal levels in the United States can impose significant fines and penalties for non-compliance with notification requirements, including late notification. In some cases, a breached entity's exposure to fines and penalties will increase if it is found not to have complied with applicable data privacy and security standards. For example, companies subject to regulatory scrutiny by the Federal Trade Commission may be subject to enforce- ment for unfair or deceptive acts or practices under the Federal Trade Commission Act. The FTC has interpreted "unfair acts or practices" to include the failure to adopt appropriate data-security measures to protect personal information and has brought enforcement actions against companies that have suffered data breaches. The application of various state laws is typically based on the place where the person whose data was compromised resides. In many cases, state laws will apply irrespective of where the breached entity's place of business is located or where the compromised information was held. This means that Canadian companies could be subject to US state data-breach legislation requiring them to give notice to United States-based customers in the event of a data breach. It is criti- cal, therefore, that Canadian companies with customers located in the United States be aware of potential reporting requirements when faced with a data breach. George J. Pollack is a partner in Davies' Litigation practice. He regularly acts on behalf of public and private companies on a wide variety of complex commercial litigation matters, including investigations and litigation arising out of data breaches and other cybersecurity-related matters, extraordinary remedies, debt recovery, the enforcement of foreign arbitration awards and judgments and specialty insurance and contractual disputes. George has represented clients before the courts at all levels of the Province of Québec and throughout the country, including the Supreme Court of Canada. He also advises clients in their dealings and appearances before various administrative tribunals. In addition to his litigation practice, George acts as an arbitrator and a mediator. He is a member of the Québec and Ontario Bars. George J. Pollack Davies Ward Phillips & Vineberg LLP Tel: (514) 841-6420 Fax: (514) 841-6499 gpollack@dwpv.com