Reporting Privacy Breaches on Both Sides of the Border

Privacy breaches involving personal information are becoming more common in both Canada and the United States.

The U.S. President recently proposed legislative changes addressing cybersecurity and information sharing.  One aspect of the proposed US legislation, the Personal Data Notification & Protection Act, will create a standard for notification of security breaches.  It will require organizations that access or collect personal information to notify individuals about security breaches involving personal information, unless there is no reasonable risk of harm or fraud. The notification requirement will apply to organizations that deal with the personal information of more than 10,000 individuals during any 12 month period.  Notification will be required within a reasonable period (30 days).

In Canada, Bill S-4, the Digital Privacy Act, similarly requires organizations to report breaches of security involving personal information but only if it is reasonable to believe that the breach creates a real risk of significant harm to an individual.  Significant harm includes humiliation, damage to reputation, financial loss, and identity theft, among other factors.  Reporting will be required as soon as feasible after it is determined that a breach has occurred.  Organizations must record security breaches involving personal information.  Bill S-4 is being challenged for also including provisions that will permit organizations to disclose an individual’s personal information without their knowledge in certain circumstances.  Bill S-4 has been referred to Committee before a second reading in the House of Commons.

​The bottom line:  Organizations in Canada and the U.S must pay attention to the ever evolving privacy regulation landscape as governments attempt to address the increasing problem of privacy breaches.