Canada is set to introduce a new bill that would make it illegal to not report data breaches to people affected by it, or for failing to report said breach to the Privacy Commissioner. The new law, called the Digital Privacy Act, will be a much needed amendment to PIPEDA (Personal Information Protection and Electronic Documents Act), which already provides guidelines to things like the use of data encryption for protecting personal data.
The big element in this news is that fines of up to $100,000 could be handed out by the Privacy Commissioner’s Office. With the stick, however, you should look for the carrot.
Encryption Software and Other Security Tools Get Boost
Data encryption has been pointed out as a means of protecting personal information from data breaches under the PIPEDA.
Among other things, the Digital Privacy Act appears to reinforce the need to use such tools. (Does this come as a surprise, though? We are living in the digital age, after all). For example, the following definition is being added to PIPEDA:
“breach of security safeguards” means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.
Why would this be a thumbs-up for full disk encryption and mobile device management and other forms of data security? Because these tools are expressly designed to prevent the loss, unauthorized access, or unauthorized disclosure of personal information. Encryption is a security safeguard (which the original PIPEDA legislation makes abundantly clear). Since a computer remains encrypted once it is encrypted, its security safeguard is still in place if a laptop computer were to be lost. Result: not a breach of security safeguards.
This ties in to the following requirement that is being introduced by the new bill (my emphasis):
An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
With “significant harm” being defined as (my emphasis):
For the purpose of this section, “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The one avant-garde aspect of this Act is that it has classified identity theft and credit records as factors “harm”. As far as I know, this is the only case in the world so far where this is so. For example, in the U.S., the effects of a data breach on a person’s credit record is not exactly viewed as a cognizant harm.
It’s not all milk and honey when it comes to the Act, though. Many people who have experience with “harm threshold” clauses are probably not going to be too crazy about the “creates a real risk of significant harm” portion. After all, who determines what is a “real risk”? However, Canadians have thought of everything:
The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to the individual include
(a) the sensitivity of the personal information involved in the breach;
(b) the probability that the personal information has been, is being or will be misused; and
(c) any other prescribed factor.
The use of encryption software ensures that the real risk of significant harm is virtually eliminated; however, if not, I guess a company could argue their case to the commissioner.
Related Articles and Sites: