Canada’s new mandatory breach-notification requirements in the Personal Information Protection and Electronic Documents Act (PIPEDA) took effect on November 1, 2018. Earlier this week, the Canadian Privacy Commissioner released guidance that provides an overview of what companies should know about PIPEDA’s new requirements to (1) report certain breaches to the Privacy Commissioner, (2) notify affected individuals, and (3) keep records of all breaches for at least two years. While the text of PIPEDA is silent as to its geographical reach, case law suggests that companies who collect, use, or disclose Canadian residents’ personal information in connection with commercial activities will be subject to the law’s requirements.
Under the new guidance, companies must notify the Canadian Privacy Commissioner and affected individuals “as soon as feasible” about incidents that pose “a real risk of significant harm” to affected individuals. Companies must also keep detailed records of any breach for two years and ensure that their third-party partners are following PIPEDA’s rules. Non-compliance with the new rules leads to staggering penalties: up to C$100,000 ($79,139) per day for each individual who should have been notified of the breach. Ensuring your incident response plan reflects recent changes in the law is vital to protecting your company in the event of a suspected cyberattack or security breach.
For more information about how this ruling may affect your business, please contact your Ally Law intellectual property lawyer.