Canada Set to Require Its Businesses to Report All Data Breaches, Hacking Incidents

Cyber attacks on Canadian businesses have risen an estimated 44 percent since 2014. Is your business protected?

The Canadian government is in the final stages of enacting legislation that will require all companies to report incidents related to cyber security breaches immediately. This step is intended to protect citizens’ financial and personal data, which could be compromised during such violations.

Canada Data Breach
Security laws have already been passed in Canada within the Digital Privacy Act of 2015; however, they hadn’t been enacted yet due to plans to create more specifics as well as additional related regulations. A draft will appear in the federal government’s Canada Gazette for public consideration before being forwarded to the Canadian Parliament for approval.

U.S. and Europe Already Require Data Breach Reporting

Businesses in Canada, the U.S., and Europe have all been subject to significant security breaches in recent years. These incidents have exposed financial and personal data to unlawful use. Both the U.S. and European countries have stringent laws regarding reporting.

Canada’s regulations and policies on this matter have thus far been much less strict. Until recently, it was always up to each individual company to make the decision about how to handle a data breach. Businesses were not required to go public if they were hacked. This meant that an untold number of data breaches likely unfolded without public awareness.

Over 100 Million Credit Card Accounts Affected By TJX Hack

There have been some exceptions. Back in 2007, the home goods and apparel company TJX was forced to admit it was the victim of a hack. However, this was only after pressure from the banks that had been obliged to pay a high number of fraudulent charges as a result of the breach.

While the announcement was made in 2007, the company revealed that the data breach actually took place in 2005 and affected over 100 million credit cards. This number was double what was initially reported.

With the new Canadian legislation, businesses will be obligated to report successful cyber attacks immediately after they occur. They will be required to report how the hackers were able to gain access as well as the exact information that was compromised. The full report will have to be given to the Office of the Privacy Commissioner of Canada first, who will decide if it should be publicly released.

Failure to Report a Data Breach Could Incur $100,000 Fine

At a minimum, these revelations will be used to alert other related businesses about the potential risk to their information. However, if relevant, the individuals affected by the breach will also be informed. Companies must also keep a record of all of the data breaches they experience. Failure to report can result in fines as high as $100,000.

These changes are ultimately very positive for the Canadian economy and business landscape. The country had been sorely lacking in security measures regarding incidents affecting user data and security. The new requirements will help to alert both citizens and related businesses about cyber attacks going forward. Such attacks have risen an estimated 44 percent in Canada since 2014.

Is your company ready to be in compliance with the new regulations? DigiVie of Ottawa offers expert assistance for a range of business security needs. Contact us at (613) 277-2312 to schedule a consultation, or send us an email at info@digivie.com.