Canada's Tough New Breach Reporting RegulationsAttorney Imran Ahmad Discusses Potential Impact
Canada had been lagging behind the U.S. and some other nations in terms of breach notification regulations, but now it's catching up, says attorney Imran Ahmad, who explains new requirements that are coming into effect.
Previously in Canada, entities experiencing a breach were required to identify what kind of breach occurred and to notify regulators. "Contacting affected individuals [about the breach] would be something you would delegate to the regulators to get advice and guidance on," he says.
But that all changes under the Digital Privacy Act of 2015, which amended certain Canadian privacy regulations in three key ways and will likely go into effect by the end of 2017, Ahmad says.
Those changes include mandatory breach notification to affected individuals; keeping a record log for two years of any types of data breaches that occur; and imposing sanctions of up to $100,000 for each violation of the new law, he says.
Those amendments provide "a bit more teeth" to Canadian data breach legal requirements, he notes.
- The potential impact of Canada's new breach notification regulations on U.S.-based companies;
- The impact on the security action plans of Canadian companies;
- Cyber insurance considerations related to Canada's new breach notification law.
Ahmad is a business law partner in the Toronto office of Miller Thomson who specializes in the areas of cybersecurity, technology and privacy law.