Data breach disclosure law could bring fines

Data breach disclosure law could bring fines
Chantal Bernier says bill S-4, which would make data breach notification necessary and introduce fines ‘has it right.’
Fines are an established punishment for data breaches south of the border and they could soon be coming to Canada.

Last week, a multi-state settlement was reached with TD Bank, N.A., resolving an inquiry into a 2012 data breach in which 1.4 million files were compromised. The US$850,000 multi-state settlement also requires the bank to reform its practices to help ensure future incidents do not occur.

The breach occurred when the bank reported the loss of unencrypted backup tapes in Massachusetts. All total, the files contained personal information for 260,000 TD Bank customers. The bank will now have to notify state residents of any future security breaches or other acquisitions of personal information “in a timely manner.”

Unlike the U.S., Canada currently has limited requirements for organizations to proactively notify individuals or the appropriate regulatory bodies of a data breach in such circumstances. The exceptions are Ontario’s Personal Health Information Protection Act, Newfoundland and Labrador’s Personal Health Information Act, New Brunswick’s Personal Health Information Privacy and Access Act, and Alberta’s PIPA, all of which require mandatory data breach notification.

Bill S-4, the digital privacy act, introduced earlier this year in the Senate, would amend the Personal Information and Electronic Documents Act. It was introduced in April and is now before the House of Commons. The bill, which is perhaps better known for concerns some have about what it is attempting to address with respect to online privacy, also contains mandatory breach notification provisions.

It would require organizations to notify both individuals and the privacy commissioner, in the event of a breach of security of personal information and keep a record of every breach. Breaches could also incur fines of up to $100,000.

“On breach notification I think Bill S-4 has it right,” says Chantal Bernier, former interim privacy commissioner of Canada who is now counsel at Dentons LLP. “You need to make breach notification mandatory so the affected individuals can protect themselves.”

Bernier says the way the bill requires notification “as soon as possible,” but not within a specified timeline, is appropriate given organizations need time to properly assess the damage done.

“It clearly imposes diligence but also recognizes the operational reality that it takes a while to define the scope of the breach, and depending on the type of breach, it can take a shorter or longer time period to scope it out and know who exactly should be informed,” says Bernier. “That is a well-thought-through notification obligation.”

Bernier also likes that the notification would occur “only in cases of significant harm,” which includes “physical and moral” harm.

“Making it just for significant harm avoids notifying individuals needlessly and worrying them in the absence of real consequences,” she says. “My experience has been that people can react very acutely to the announcement of a privacy breach. There is such concern with fraud I would want us to be very judicious in when we notify or not. We should notify but only when there is actual potential or significant harm.”

In the absence of breach disclosure now, Mark Hayes, of Hayes e-Law LLP, says he encourages clients to voluntarily disclose if their organization has experienced a breach.

“There’s an awful lot of voluntary disclosure that takes place,” says Hayes. “Certainly with any client I advise and the general advice most people will give today is that while there is no statutory obligation, in most cases you want to disclose to the [privacy] commissioner as soon as you know enough to disclose. That may not be day one because you want to do the investigation first.”

In Canada and Alberta the test is that there is a “reasonable chance” there will be harm done.

“What most often happens is a hard drive disappears and you don’t know if anyone got a hold of it or if it’s being used. So in those cases it’s difficult to assess if [there is] significant harm,” says Hayes. “That is different than with a hacking case like happened with Target and Staples, where it was a targeted invasion to take data and someone was probably looking to do something with it.”

In most cases in Canada, even though there isn’t a statutory obligation to disclose right now, most well-advised companies will go to the authorities as quickly as they can.

“It is prophylactic in terms of limiting the interest the regulator is going to have in nosing through your business,” says Hayes. “The rule of thumb is if the regulator reads about it in the newspaper, they are going to be all over you. If the regulator hears from you first, they will think it’s under control.”

Hayes says he has helped clients who have had some minor breaches but on some occasions when he suggests they should go to the regulator, they push back.

“I convince them to go to the regulator and it’s the last we hear from them because it looks like it’s being taken care of,” he says.

The more stringent U.S.-based policies are a product of what Hayes says was a “knee-jerk reaction” to high-profile data breaches that required compulsory disclosure not only to the regulator but also to the individuals.

“Very often you end up causing people more concern with notice because nothing ever ends up happening,” he says. “The classic is the lost thumb drive but you don’t know where it went and you end up notifying everyone for a risk that is tiny. If you set a low threshold, people end up getting lots of notifications and it becomes wallpaper.”

The actual damage to consumers in Canada has been relatively small, says Hayes, which speaks to why there hasn’t been a huge push in the past for breach disclosure laws here.

“Our banks cover credit card losses and as a result there isn’t a lot of financial damage to consumers so you don’t get the groundswell of political support behind it.”

Free newsletter

The Canadian Legal Newswire is a FREE weekly newsletter that keeps you up to date on news and analysis about the Canadian legal scene. A separate InHouse Edition is delivered every two weeks, providing targeted news and information of interest to in-house counsel.

Please complete the form below to receive the weekly Canadian Legal Newswire and/or the Canadian Inhouse Legal Newswire.

Recent articles & video

Convicted person has right to lesser of two punishments existing at time of commission or sentencing

True North and Rebel News seek judicial review on press accreditation denial for debates

White & Case adds 45 to global partnership

EY Law overtakes PwC in global alternative legal services rankings

How much does the GC at News Corp earn?

Dentons aims to be "truly national" in US with two mergers

Most Read Articles

Innovations in estates law: How legal tech is revolutionizing death

Catherine McKenna: A product of her environment

How AI is shaking up legal practice

Is the Maple Leaf Foods case hysteria over listeria?