14 DAY TRIAL // Like many other countries of the world, Canada also took note of the risks presented by data breaches and decided to act. Recently, Industry Minister Christian Paradis proposed Bill C-12, also known as Safeguarding Canadians’ Personal Information Act.
According to Sophos, the bill is vague when it comes to properly defining the term “breach.” “<Breach of security safeguards> means the loss of, unauthorized access to, or unauthorized disclosure of, personal information resulting from a breach of an organization’s security safeguards,” reads the document.
The act will force organizations which suffer data breaches to alert the proper authorities within 30 days of the incident. To help companies determine if an issue has to be reported, several factors have been taken in consideration.
First of all, it mostly depends on how sensitive is the leaked data, then it also depends on the quantity, or more precisely “the number of individuals whose personal information was involved,” and “an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.”
As Chester Wisniewski highlights, judging by these criteria, it's fairly hard to establish if the problem falls in the category of reportable incidents. Not only that the number of individuals is not specified, but pieces of information that some might consider “harmless” might be gold for hackers.
The same division of the paper speaks about the “Notification to individual,” which outlines the fact that an individual must be notified by an organization in case the breach creates a real risk of significant harm to the parties involved.
Significant harm is described as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.”
The fact that Canadian authorities are taking these steps in order to protect their citizens is a good thing, but as with copyright, it's not easy to clearly regulate the issue and that's why it's probably going to take a while until things are definite.