Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)
Canada's Tough New Breach Reporting Regulations
Attorney Imran Ahmad Discusses Potential ImpactCanada had been lagging behind the U.S. and some other nations in terms of breach notification regulations, but now it's catching up, says attorney Imran Ahmad, who explains new requirements that are coming into effect.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
Previously in Canada, entities experiencing a breach were required to identify what kind of breach occurred and to notify regulators. "Contacting affected individuals [about the breach] would be something you would delegate to the regulators to get advice and guidance on," he says.
But that all changes under the Digital Privacy Act of 2015, which amended certain Canadian privacy regulations in three key ways and will likely go into effect by the end of 2017, Ahmad says.
Those changes include mandatory breach notification to affected individuals; keeping a record log for two years of any types of data breaches that occur; and imposing sanctions of up to $100,000 for each violation of the new law, he says.
Those amendments provide "a bit more teeth" to Canadian data breach legal requirements, he notes.
In the interview conducted at Information Security Media Group's recent Fraud and Breach Summit in Toronto Ahmad, who was a panelist, also discusses:
- The potential impact of Canada's new breach notification regulations on U.S.-based companies;
- The impact on the security action plans of Canadian companies;
- Cyber insurance considerations related to Canada's new breach notification law.
Ahmad is a business law partner in the Toronto office of Miller Thomson who specializes in the areas of cybersecurity, technology and privacy law.