Canadian Bill Seeks Mandatory Data Breach Notification

Mandatory data breach notification may soon become federal law in Canada.  The Canadian Parliament is currently reviewing Bill C-12, a proposed update to Canada’s existing privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  PIPEDA currently does not contain any breach notification provisions.

The proposed update would require entities to notify both affected individuals and the Data Privacy Commissioner of breaches involving “personal information,” a term that is broadly defined as “information about an identifiable individual.”  Interestingly, the trigger for notification varies drastically depending on whether notification is made to the individual or to the Commissioner.  Notification to the Commissioner is required upon discovery of any material breach involving personal information.  The factors to consider when determining whether a breach is “material” include:

  •  Sensitivity of the personal information;
  •  Number of individuals whose personal information was involved; and
  •  Assessment by the organization that the cause of the breach or a pattern of breaches indicate a systemic problem.

Notification to affected individuals, on the other hand, is based on a risk of harm standard.  Individual notification is required following discovery of any breach involving personal information where “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”  The Bill provides the following examples of “significant harm”:

  • Bodily harm
  • Humiliation
  • Damage to reputation or relationships
  • Loss of employment
  • Business or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on the credit record, and
  • Damage to or loss of property.

To determine whether a “real risk” of such harm exists,  entities should consider (i) the sensitivity of the personal information involved in the breach, and (ii) the probability that the personal information has been, is being, or will be misused.

While these notification provisions are an obvious attempt to provide a detailed guide to mandatory notification (especially in comparison to the existing U.S. notification laws), Bill C-12 is still fairly vague as to the exact circumstances under which mandatory notification is triggered.  Even with Bill C-12′s inclusion of the above-listed factors, notification will still depend on a subjective evaluation of the circumstances of each particular breach.  Furthermore, the existence of two wholly-different standards for notification to the Commissioner, as opposed to notification to affected individuals, may result in confusion as entities grapple with mandatory breach notification if/when this Bill is signed into law.  We will be watching to see if these issues are addressed as the Bill progresses through Parliament.