For businesses across Canada, the fall of 2017 will bring a dramatic shift to privacy and cyber security regulations. That’s when an amendment to Canada’s Personal Information Protection and Electronic Document Act (PIPEDA), the federal privacy law for private-sector organizations, will finally take effect. Moving forward, businesses that experience a data breach but neglect their responsibilities under the new amendment could quickly find themselves in hot water with regulators and customers alike—and facing steep fines.
If you aren’t up to date on what’s happening with PIPEDA and its amendment, which is referred to as the Digital Privacy Act, this article highlights the implications of the new regulations on businesses along with how insurers and businesses need to start preparing.
A quick refresh or primer on PIPEDA
PIPEDA, which legislators enacted in 2000, was intended to “set ground rules for how private-sector organizations collect, use or disclose personal information in the course of commercial activities across Canada.” One of the primary goals of the legislation was to promote customer trust in e-commerce by setting and incorporating baseline privacy protections for consumers and citizens. Given the rapid evolution of technology and commerce, parliament knew that the legislation would require regular updates, and the Digital Privacy Act is a response to growing challenges with data breaches both in Canada and abroad. It will not only mandate a new framework for breach reporting, notification and record keeping, it also updates or clarifies key points around consent, the Privacy Commissioner’s powers and more.
Although parliament passed the Digital Privacy Act in 2015, it needed time to develop the processes and procedures around new regulations, so it postponed enforcement of the law until fall of 2017. With fall upon us, it’s time for insurers and businesses to get ready for the new guidance that will be coming any day. Once the guidance is released, it’s a safe bet that the breach reporting, notification and record keeping portions of the Digital Privacy Act will be especially important for insurers and businesses to understand.
Considering the potential impact
The number of data breaches around the world have grown to epidemic proportions in recent years. Just consider the 160 percent year-over-year growth in Canada, or the fact that 37 million records were exposed in the U.S. in 2016 alone. And the difficult reality that businesses face is that 25 percent of data breaches are due to human error among employees or contractors. In light of the new regulations, these types of stats should be a wakeup call for Canadian businesses. After all, the new regulations will increase consumer visibility into breach events, which causes significant brand damage when handled poorly. Moreover, under the new regulations, your business or your policyholders could also face noncompliance fines of up to CAD$100,000.
Moving forward with confidence
Although the final guidance hasn’t been released, there are things insurers and businesses can start doing to prepare for the upcoming changes, including the following.
• Understand the new requirements quickly once they are released.
• Recognize the potential costs of an inadequate response.
• Prepare for likely data breach scenarios.
• Set time aside to educate key employees.
• Keep an eye out for fast-moving rule changes.
CyberScout is standing by to help
Data breaches are an ugly fact of life of doing business in the Internet era. In addition to taking the right prevention steps, quick responses are critical. The upcoming regulatory changes with the Digital Privacy Act means that Canadian businesses need to be on top of the challenges.
Eduard Goodman is global privacy officer for CyberScout.