Avoid new $100,000 penalties in force as of November 1, 2018 – New federal requirements on data breach record-keeping and reporting - Retail Council of Canada
National

Avoid new $100,000 penalties in force as of November 1, 2018 – New federal requirements on data breach record-keeping and reporting

November 1, 2018

Avoid new $100,000 penalties in force as of November 1, 2018 – New federal requirements on data breach record-keeping and reporting

As of November 1, retailers must notify the federal Office of the Privacy Commissioner (OPC) and affected individuals if there is a data breach that creates a “real risk of significant harm” with personal information that the retailer controls.

Record-Keeping: You are required to maintain records of security safeguards and all breaches, whether or not a breach meets this threshold for reporting.

“Real risk of significant harm” means a consideration of the:

  • Sensitivity of the personal information involved. For example, if information that is already publicly available elsewhere (e.g. online, in the phone book) may be less sensitive than credit card numbers.
  • Probability that the information has been, is, or will be misused.

Reporting: You must also notify other organizations if they may be able to mitigate or reduce the risk of harm to the individuals affected.

For example, notify:

  • Law enforcement if an attack on your computer system comes from malicious state or commercial actors.
  • Banks or credit card companies if your customer’s payment information is compromised.

Penalties: Failure to report a breach or to maintain records is an offense under the new laws, punishable by a fine of up to $100,000.

RCC Action:

  • RCC success to date:
    • Reasonable reporting requirements, i.e., only in incidents of significant harm
    • Flexibility within your business to determine what constitutes significant harm
    • Flexibility on what must be reported – information directly related to the incident
  • RCC will advise members of all new developments, including guidance for compliance and enforcement activities carried out by government.

For more information, please either visit the website of the Office of the Privacy Commissioner’s page on breach reporting obligations.

If you have any questions or concerns, please don’t hesitate to contact: Jason McLinton, Vice President, Grocery Division and Regulatory Affairs at: jmclinton@retailcouncil.org or 613-656-7903 or Cory Anderson, Manager, Government Relations and Regulatory Affairs at: canderson@retailcouncil.org or 613-656-7901