Data breach disclosure legislation is changing. Are you prepared?
As data breaches continue to impact Canadian organizations—increasingly resulting in reputational and financial damage—the federal government plans to strengthen laws to enhance transparency around data privacy and security. It's expected that at some point in 2017 new mandatory data breach reporting legislation will require Canadian organizations to record all data breaches and publicly disclose them to any affected individuals at real risk of significant harm, as well as to the Office of the Privacy Commissioner.
Historically, Canada has lagged behind other countries in mandatory data breach reporting. While specifics vary (required notification times can range), other countries such as the U.S. have already instituted rules requiring organizations to inform individuals whose details have been compromised, as well as regulators. With Canada now on-board, the cost of breaches is expected to rise as organizations take on increased responsibilities surrounding identifying and locating the victims and determining how to best notify them (online, text messages, mail, phone, etc.).
For one thing, notification will be at the top of audit committee (AC) and board agendas. They will need to take a close look at what is really required. Only breaches that the organization concludes have a real risk of significant harm will need to be disclosed. To avoid unnecessarily disclosing a breach, ACs should proactively:
There are a number of questions ACs can ask either internally or by working with a service provider to assess what steps they need to take to prepare for the legislation in a timely and effective manner:
ACs' oversight role includes ensuring the organization takes appropriate steps to be prepared in the event of a cyber-attack. Going forward, establishing and demonstrating a strong cyber-defensible position will be key to reducing reputational and legal risks associated with the new mandatory data breach reporting legislation. The exact timing of the legislation is unclear, but it is expected to be imminent. Organizations need to be proactive now – to understand the legislation and clarify how they plan to respond when and hopefully before it arrives, as the fundamental changes they will be required to make may be time-consuming.