Revamped Federal Privacy Laws
Starting in November 2018, updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) mandate that a data breach is no longer just an issue between a company and its users. Depending on the severity and nature of the breach, the federal government might also need to be included in the response to a data breach.
Determining whether “significant harm” could arise from a data breach is a somewhat murky issue, which will require a judgment call on the part of the company.
How to determine a significant breach?
To assist companies in determining whether a data breach is significant enough to alert the Privacy Commissioner, the federal government has provided two helpful qualifiers:
- First, the company should consider the nature of any personal information invol