New Data Breach Reporting Rules

Have you ever:

  • lost your mobile phone?
  • had your laptop stolen?
  • misplaced a USB drive?

Under new federal rules that took effect last fall, you may be required to report these incidents to the federal privacy commissioner. Reporting is mandatory if the data breach creates a real risk of significant harm to an individual. The degree of risk will depend on several factors, such as the potential for physical or financial harm, humiliation, or identity theft. The sensitivity of the lost information, and the possibility that is being or will be misused, must be considered.

Currently these rules apply only to businesses that are federally regulated, or organizations that share or move personal information across borders. Most BC businesses, if they only collect and use personal information in BC, are not subject to federal privacy laws. Instead, they must comply with BC’s Personal Information Protection Act (“PIPA”. PIPA does not currently require mandatory reporting, but complying with the federal law is considered best practice, and will likely become the law in BC in the near future.