June 22, 2021

Volume XI, Number 173


June 21, 2021

Subscribe to Latest Legal News and Analysis

Canada Releases New Data Breach Regulations

In a recent post, we discussed the Canadian Cabinet’s announcement that Canada’s new data breach regulations go into effect on November 1, 2018. Despite announcing the effective date, Canada had not yet finalized these regulations.  However, on April 18, 2018, Canada unveiled the Breach of Security Safeguard Regulations: SOR/2018-64 (“Regulations”).

To highlight some of the finer points, in order to trigger notification requirements, the Regulations require organizations to determine if a data breach poses a “real risk of significant harm” to any individual had their information accessed in the breach.  If an organization meets this harm threshold, then the affected organization must notify the Privacy Commissioner of Canada, as well as the affected individuals.  

As far as reporting, the notification to the Commissioner must describe the circumstances of the breach, the time period, the personal information accessed, the number of individuals compromised, steps taken to reduce harm to those individuals, steps taken to notify those individuals and an organization point of contact who can answer any follow-up questions regarding the breach. The notification to the individuals requires the affected organization to disclose similar information.  As far as the communication mechanism of the individual notification, the Regulations give affected organizations flexibility to use any form of communication that a reasonable person would consider appropriate, such as phone, email or advertisement.

Interestingly, rather than specifying a strict time frame for notification, the Regulations require such notification to be completed “as soon as feasible.” In providing this flexibility, the Cabinet recognized that it takes time for organizations to gather all necessary information.  Lastly, the Regulations establish a mandatory minimum of two years for the maintenance of all records related to the breach.

It is interesting to note that these Regulations bare some similarity to the European Union’s (“EU”) new General Data Protection Regulation (“GDPR”), which goes into effect on May 25, 2018. For example, similar to GDPR, the Regulations have harsh penalties. In particular, the Regulations impose fines up to $100,000 CAD for each affected individual of a breach, whereas a violation of the GDPR can carry with it a fine of up to four percent (4%) of annual global turnover or €20 Million, whichever is greater.  Overall, the Regulations demonstrate a clear message that Canada would like to align as much as possible with the GDPR to try to maintain Canada–EU trade relationships.

This post was written by Brad Davis.

© Copyright 2021 Murtha CullinaNational Law Review, Volume VIII, Number 116



About this Author

Dena Castricone, Murtha Cullina Law Firm, Privacy and Cybersecurity Attorney

Dena M. Castricone is a member of the Long Term Care and Health Care practice groups.  She is the Chair of the Privacy and Cybersecurity practice group and the Chair of the firm’s Pro Bono Committee.  Prior to joining Murtha Cullina, Dena served as a law clerk to the Chief Justice of the Rhode Island Supreme Court, Frank J. Williams.

Dena’s long term care and health care clients compete in a constantly evolving industry, facing both rising administrative and regulatory burdens and shrinking reimbursement rates. She helps skilled nursing centers, physician groups, home health and...

Daniel Kagan, Murtha Cullina, health care attorney, regulatory compliance lawyer, reimbursement issue legal counsel

Mr. Kagan is an associate in the Health Care Group of Murtha Cullina.  He represents hospitals, physicians and other health care clients with a wide range of regulatory, compliance, risk management and reimbursement issues.

Prior to joining Murtha Cullina, Mr. Kagan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court. 

Mr. Kagan received his J.D. with honors from the University of Connecticut Law School where he was a Notes and Comments Editor ...