Data breach reporting scheme unveiled

OTTAWA — Companies would be required to notify people of a serious data breach involving personal information under proposed new federal regulations.

But the regulations are intended to provide “maximum flexibility” to an organization that loses data, says a government notice accompanying the planned measures.

One prominent public advocacy organization voiced skepticism Tuesday about how effective the new rules will be.

Several businesses — including telecom provider Bell Canada, retailer Target and affair-seekers website Ashley Madison — have been stung by breaches in recent years.

The loss of data can be embarrassing for an organization and often causes headaches for customers whose personal or financial details are suddenly swirling in cyberspace.

Legislation passed two years ago laid the groundwork for mandatory reporting of private-sector breaches that pose a “real risk of significant harm” to individuals. The newly published regulations, drafted with the help of public feedback, would flesh out the legislation.

“A key theme of the responses was the need for flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances,” the federal notice says.

“The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible.”

In the likelihood of “significant harm,” organizations would be obliged to inform affected people as well as the federal privacy commissioner, whose office would determine whether appropriate actions were indeed being taken.

In addition, organizations that experienced a breach would have to keep a record of the incident and make these records available to the privacy commissioner upon request.

The proposed rules don’t go far enough because they give companies discretion as to whether an incident is sufficiently serious to report, said John Lawford, executive director and general counsel of the Ottawa-based Public Interest Advocacy Centre.

A risk-averse company might come clean about a breach, but others may be tempted to keep a lapse under wraps, Lawford said Tuesday.

“I think it’s just a terrible solution, and I think we’re going to have fewer data breaches reported rather than more.”

The regulations say a breach report to individuals must include a description of the lapse, when it happened, the information involved, steps taken to reduce harm to people, information as to what the individual can do, a toll-free number or email address for providing additional details to the public, and information on how to complain to the organization and the privacy czar.

However, a company may provide only indirect notification to affected people — through a website posting or an advertisement — in the event that:

— providing direct notification would cause further harm — for instance, if it would inform family members of the person’s purchase of a confidential product or service;

— the cost of direct notification would be prohibitive; or

— the organization lacks contact information for those affected, or the information it has is outdated.

The privacy commissioner’s office, which has strongly supported the move to mandatory reporting, said Tuesday it was reviewing the regulations and therefore could not yet comment.

The public has until early next month to provide feedback on the draft regulations.

Just Posted

Quebec man arrested in slaying of Alberta woman 16 years ago

AIRDRIE, Alta. — A Quebec man has been arrested in the slaying… Continue reading

Construction underway at Medicine River Wildlife Centre in Red Deer

The new building is twice the size of the old one

Fish for free

No license is required to ice fish on Family Day weekend

Music industry struggles to shake ugly legacy of sex, drugs and rock ‘n’ roll

TORONTO — Allegations of sexual misconduct swirling around pop-rockers Hedley have put… Continue reading

WATCH: Red Deer rings in the Chinese New Year

A couple hundred fill Festival Holiday to ring in the Year of the Dog

WATCH Replay Red Deer Feb. 18: Your weekly news highlights

Watch news from Red Deer and Central Alberta

How to keep local news visible in your Facebook feed

Facebook has changed the news feed to emphasize personal connections. You might see less news.

Trump gets angry about election meddling, but not at Russia

‘Weirdest thing’: Trump expresses anger, but not over Russian election-meddling

New doping charge could hurt Russia’s chance at reinstatement

Russia could lose its chance to be reinstated before the end of the Winter Olympics because of a doping charge against curling bronze medallist Alexander Krushelnitsky.

#Metoo movement causing confusion in many men, fear of missteps with women: experts

Being painted by the same sweeping brush as those alleged to have mistreated women has angered men

Virtue and Moir break their own world record

Virtue and Moir break short dance record to sit first in ice dance at Olympics

Calgary man dies in Mexico following sudden illness

Troy Black was with his wife, Lindsay, in Puerto Vallarta when he began vomiting blood on Thursday

Life or death main decision for school shooting suspect

FORT LAUDERDALE, Fla. — The evidence against the Florida school shooting suspect… Continue reading

Man who stole millions from Seabird Island band sentenced to 4.5 years jail

Stephen MacKinnon sentenced in Chilliwack court for stealing $2.3 million over eight years

Most Read


Five-day delivery plus unlimited digital access for $185 for 260 issues (must live in delivery area to qualify) Unlimited Digital Access 99 cents for the first four weeks and then only $15 per month Five-day delivery plus unlimited digital access for $15 a month