In attempt to bolster and standardize cyber breach reporting, the Privacy Commissioner of Canada has changed its reporting requirements under the Personal Information protection and Electronic Document Act (PIPEDA).
What Are The Changes?
As of November 1st 2018, companies will be required to report any data breach that causes a real risk of significant harm to personal information. Breached companies will also be required to notify all affected individuals and take any available steps to reduce the impact of the breach. Records must also be kept for at least 24 months after the day the breach occurred, and submitted to the Privacy Commissioner upon request.
Why Should It Matter To You?
Businesses will have to create new policies and procedures to adhere to the new requirements. Failure to properly report a breach can result in a fine of $10,000 to $100,000, excluding costs of defending claims. There will be a larger public relations exposure as businesses are forced to notify affected individuals. As businesses are required to notify affected individuals, there will be an increased likelihood for affected individuals to attempt to litigate, leading to higher defense costs.
Your Next Steps
Ensure your business has an internal policy to address the upcoming requirements.
In the event of a breach, consider how you will fund the costs arising from the breach. Consider the purchase of a cyber liability policy to help cover these costs, and have access to consultants who specialize in breach response and crisis management.
Please contact us if you are interested in augmenting your policy with cyber coverage.