April 10, 2020

April 09, 2020

Subscribe to Latest Legal News and Analysis

April 08, 2020

Subscribe to Latest Legal News and Analysis

April 07, 2020

Subscribe to Latest Legal News and Analysis

New Data Breach Reporting Requirements in Canada

Canada now follows the US trend to require reporting of personal data exposures. Beginning November 1, 2018, a change in the law will require companies subject to Canada’s federal data protection laws to report data breaches in certain instances.

What is the applicable law? The Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the Breach of Security Safeguards Regulations.

Who does this apply to? Companies doing business in the following Canadian provinces and territories: Manitoba, New Brunswick, Newfoundland and Labrador, Nova Scotia, Ontario, Prince Edward Island, Saskatchewan, Northwest Territories, Nunavut and Yukon. (Alberta, British Columbia and Quebec have separate data protection laws and PIPEDA does not apply there.)

What is a reportable breach? A “breach of security safeguards” means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of a company’s security safeguards or failure to establish security safeguards. If that breach involves personal information under a company’s control and, after a risk assessment, it is reasonable to believe that the breach creates a “real risk of significant harm” to the affected individuals, then the company must report the breach.

What are the Requirements?

Breach Reporting (as soon as possible) to: 

  • Canada’s data privacy regulator, the Privacy Commissioner of Canada

  • Affected individuals

  • Organizations (e.g., law enforcement, vendors such as payment processors)

Record keeping

  • Create and maintain records of every breach for at least 24 months following discovery of a breach (but Canada regulators recommend 5 years)

What are the penalties for failure to report? Knowingly withholding information about a breach or failure to keep required records could result in fines up to $100,000 and public recognition for noncompliance (i.e., public opinion).

What now? If your company directly collects or receives personal information from other sources, remain vigilant against potential data breach threats. With the addition of these Canada data breach notification requirements, companies should review their data and determine whether they receive personal information of individuals in Canada. Companies can take other proactive steps such as: updating internal governance documents to reflect Canada breach notification requirements (e.g., update a checklist or breach response plan); working with IT unit to identify risk profile related to Canada individuals and breach of their personal information; updating and providing breach training to staff; and conducting a breach simulation with Canada individuals in the fact pattern. We can also look to Alberta, which may forecast how the Privacy Commissioner could approach data breach reporting requirements (Alberta’s data breach obligations have been effect since 2010).

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Allen O'Rourke, Womble Carlyle, Cybercrime Prosecution Lawyer, Breach Investigations Attorney

Drawing upon years of experience prosecuting cybercrime, Allen comes to the aid of clients affected by data breaches and cyber-attacks. He works with clients’ legal and information security teams to investigate cybersecurity incidents, coordinate the remediation of any breach, interface with law enforcement as appropriate, and ensure compliance with applicable data breach laws and regulations. In addition to incident response, Allen defends clients facing government investigations, regulatory enforcement actions, consumer class actions, and other litigation arising from data breaches.  He also provides counsel to clients regarding cybersecurity preparedness, active network defense, and any related legal issues, including guidance about the Computer Fraud and Abuse Act (CFAA), Electronic Communications Privacy Act (ECPA), and Cybersecurity Information Sharing Act (CISA).

Taylor Ey, Intellectual property attorney, Womble Carlyle, Law Firm

Taylor is an associate in the Intellectual Property Practice Group in Womble Carlyle’s Research Triangle Park Office.


J.D. | 2016 | Wake Forest University School of Law | cum laude | Notes and Comments Editor, Wake Forest Law Review, 2015-2016 | Teaching Assistant, Legal Analysis, Writing and Research I & II, Writing for Judicial Chambers

M.S. |2012 | The Ohio State University | Biomedical Engineering

B.S. | 2011 | The Ohio State University | Biomedical Engineering | Minor, Life Sciences | cum laude