Guide to the Digital Privacy Act

20 June 2018

Preparing For Canada’s Upcoming Data Breach Notification Rules

With each passing year, malicious cyber events increase in size and severity, impacting companies and customers alike. Small and medium-sized businesses, as well as municipalities are frequent victims of hackers, as their security measures and legacy systems can be easier to hack. However, even large organizations like Yahoo, eBay and Target and most recently Equifax, Hudson’s Bay Co., CIBC and BMO that have invested substantial sums into cyber security programs are not immune from the threat of a data breach. Municipalities and all other Public Sector entities are no exception.

Canada itself has seen an increase in cyber security incidents, with the number of businesses reporting a loss or exposure of sensitive data over a 12-month period increasing every year for the past three years and 8 per cent overall.

When data breaches occur, they can result in a major financial and reputational hit for an organization. In addition, a data breach can lead to serious interruptions in municipal services that the public rely upon for their day to day lives. These loses are only increasing, with estimates suggesting that data breaches will cost the global economy over CAD 2 trillion between 2014 and 2019. What’s more concerning, when sensitive data (e.g., Personal Identifiable Information (PII) and Protected Health Information (PHI)) is involved, a Public Sector’s constituent can also experience stressful and damaging losses, as well as Public Sector services and operations.

With no clear end to an ever-shifting, dangerous cyber landscape and with confidential information on the line, the federal government recently re-evaluated organizational requirements and oversight related to data breaches. This re-evaluation came through the enactment of the Digital Privacy Act (DPA) that amends the Personal Information Protection and Electronic Documents Act (PIPEDA).