On Sept. 2, the Canadian Government announced an update to the Digital Privacy Act (June 2015) that will make it mandatory for all Canadian companies to report if their data has been breached. Currently, Alberta is the only province where companies are required to report breaches by law. This change makes this a requirement across the country.
Under the new proposed rules, any company that has a data breach will be required to do a risk assessment to determine if the breach poses a “Risk of significant harm”. If so, they’re required to notify all individuals that are affected and also report the breach to the Canadian Privacy Commissioner’s Office.
A 2017 study by the Ponemon Institute found data breaches are most expensive in the United States and Canada. The average per capita cost of a data breach was $225 in the United States and $190 in Canada. However, because breach reporting is not mandatory, it’s difficult to get a full picture of the number of breaches. Still, over the last few years there have been a number of high profile data breaches where the personal information of Canadians was stolen. It’s hoped that mandatory reporting will create an incentive for organizations to take information security more seriously.
The consequences for organizations that decide not to comply with the new rules are two-fold. First of all is the public relations nightmare that occurs when knowledge of the breach eventually becomes public. Typically this comes in the form of loss of confidence in the brand and will result in loss of customers; up to a third of customers will leave after a breach. Second, are the fines for non-compliance under the proposed new rules; up to $10,000 for a summary offence and up to $100,000 for an indictable offence.
To learn more about how LoginRadius can help you manage and secure your customer profile data, contact us to chat with a product specialist about your specific data security needs or visit our Data Management page to learn more about how we secure your data.