New security breach reporting guidelines are set to come into force on November 1st, 2018, compelling organizations to report any security or data breaches that pose significant harm to affected individuals.
According to the Office of the Privacy Commissioner’s (OPC) website, the new rules will require organizations to report breaches to the OPC “in the circumstances to believe that the breach of security safeguards creates a real risk of significant harm (RROSH) to an individual.”
“Whether a breach of security safeguards affects one person or a 1,000, it will still need to be reported if your assessment indicates there is a real risk of significant harm resulting from the breach,” reads an excerpt from the OPC website.
Organizations will also be required to maintain at least two years of records of all the security safeguards they have in place.
While the new guidelines should prevent companies from failing to speedily report breaches, privacy commissioner Daniel Therrien expressed reservations about the new rules.
According to an October 29th, 2018 media release, Therrien said that the regulations are “imperfect but a step in the right direction.”
Therrien reportedly believes that the new rules fail to compel organizations to provide information about the quality of existing safeguards.
The new rules also fail to provide the OPC with the means to “analyze breach reports, provide advice and verify compliance.”
Additionally, the OPC hasn’t been given the power to impose monetary fines on organizations who fail to adequately protect individuals — a measure that Therrien has repeatedly advocated in the past.
“The number and frequency of significant data breaches over the past few years have proven there’s a clear need for mandatory reporting,” said Therrien, in the same October 29th media release.
“Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”
The new guidelines are part 2015’s Digital Privacy Act, which amends portion of the Personal Information Protection and Electronic Documents Act (PIPEDA) — one of Canada’s primary data privacy laws.
While the Digital Privacy Act received royal assent on June 18th, 2015, coming into force was postposed to provide groups the opportunity to determine how to implement its various requirements.