Data breach reporting scheme unveiled

OTTAWA — Companies would be required to notify people of a serious data breach involving personal information under proposed new federal regulations.

But the regulations are intended to provide “maximum flexibility” to an organization that loses data, says a government notice accompanying the planned measures.

One prominent public advocacy organization voiced skepticism Tuesday about how effective the new rules will be.

Several businesses — including telecom provider Bell Canada, retailer Target and affair-seekers website Ashley Madison — have been stung by breaches in recent years.

The loss of data can be embarrassing for an organization and often causes headaches for customers whose personal or financial details are suddenly swirling in cyberspace.

Legislation passed two years ago laid the groundwork for mandatory reporting of private-sector breaches that pose a “real risk of significant harm” to individuals. The newly published regulations, drafted with the help of public feedback, would flesh out the legislation.

“A key theme of the responses was the need for flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances,” the federal notice says.

“The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible.”

In the likelihood of “significant harm,” organizations would be obliged to inform affected people as well as the federal privacy commissioner, whose office would determine whether appropriate actions were indeed being taken.

In addition, organizations that experienced a breach would have to keep a record of the incident and make these records available to the privacy commissioner upon request.

The proposed rules don’t go far enough because they give companies discretion as to whether an incident is sufficiently serious to report, said John Lawford, executive director and general counsel of the Ottawa-based Public Interest Advocacy Centre.

A risk-averse company might come clean about a breach, but others may be tempted to keep a lapse under wraps, Lawford said Tuesday.

“I think it’s just a terrible solution, and I think we’re going to have fewer data breaches reported rather than more.”

The regulations say a breach report to individuals must include a description of the lapse, when it happened, the information involved, steps taken to reduce harm to people, information as to what the individual can do, a toll-free number or email address for providing additional details to the public, and information on how to complain to the organization and the privacy czar.

However, a company may provide only indirect notification to affected people — through a website posting or an advertisement — in the event that:

— providing direct notification would cause further harm — for instance, if it would inform family members of the person’s purchase of a confidential product or service;

— the cost of direct notification would be prohibitive; or

— the organization lacks contact information for those affected, or the information it has is outdated.

The privacy commissioner’s office, which has strongly supported the move to mandatory reporting, said Tuesday it was reviewing the regulations and therefore could not yet comment.

The public has until early next month to provide feedback on the draft regulations.

Just Posted

Accused murderer takes stand

Jason Klaus said he had no idea his family would be killed by Joshua Frank

St. Patrick’s school modernization could include asbestos removal

Red Deer Catholic Regional Schools have told staff, students and parents connected… Continue reading

Campaign renews push to make Bighorn Backcountry a wildland provincial park, ATV groups unhappy

A push to provide provincial protection for the Bighorn Backcountry area has… Continue reading

Providing more services while keeping taxes low is Blackfalds’ dilemma

Town has undergone years of above-average growth

Creationist will speak at home-schooling convention in Red Deer

Ken Ham has debated Bill Nye on the Earth’s origins

VIDEO: Replay Red Deer: Nov. 19

Watch news highlights from the week of Nov. 13

Creationist will speak at home-schooling convention in Red Deer

Ken Ham has debated Bill Nye on the Earth’s origins

Update: Innisfail girl found

A 15-year-old missing Innisfail girl has been located safe and sound. Police… Continue reading

Cost to fix Phoenix pay system to surpass $540 million, auditor general says

The federal government’s chronic salary struggles will take more time and more… Continue reading

Red Deer Christmas Bureau to help 1,300 children this year

Demand is high, but Red Deer always provides

CP Holiday train makes stops in Central Alberta

The popular train will feature entertainment from Colin James and Emma-Lee

Kittens rescued after allegedly being tossed from vehicle

Couple finds abandoned kittens new home through Facebook

VIDEO: ‘Party bus’ goes up in flames in Vancouver

Fire crews responded to the late night blaze

Chicken crosses B.C. road, stops traffic

Rooster makes early morning commuters wait in Maple Ridge

Most Read


Five-day delivery plus unlimited digital access for $185 for 260 issues (must live in delivery area to qualify) Unlimited Digital Access 99 cents for the first four weeks and then only $15 per month Five-day delivery plus unlimited digital access for $15 a month