Website Privacy Policies and Data Breaches: New Legal Requirements for Secure Data

3 minute read

For any company that stores user data online, a data breach is far more than just an internal issue. It has long been a best practice to contact users promptly after a breach, even when the full extent of the breach has not yet been determined. As more information is gathered, users should then be provided with transparent updates on the nature of a breach and the amount of data that has been accessed without permission. These protocols for responding to a data breach are routinely set out in a company’s online privacy policy, which users are required to review and approve before engaging with the site and uploading data.

Revamped Federal Privacy Laws

Starting in November 2018, updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) mandate that a data breach is no longer just an issue between a company and its users. Depending on the severity and nature of the breach, the federal government might also need to be included in the response to a data breach.

Under the updates to PIPEDA, any data breach that could lead to a “real risk of significant harm” to users must be reported to the Privacy Commissioner of Canada. This is in addition to any existing obligations to inform users, which exist at law or in the company’s privacy policy.

Determining whether “significant harm” could arise from a data breach is a somewhat murky issue, which will require a judgment call on the part of the company.

How to determine a significant breach?

To assist companies in determining whether a data breach is significant enough to alert the Privacy Commissioner, the federal government has provided two helpful qualifiers:

  1. First, the company should consider the nature of any personal information invol