Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) will soon be experiencing an overhaul. Any private-sector organization throughout Canada could be affected and must learn their new accountabilities before November 1st 2018 – the date of enforcement. Non-compliance could result in weighty fines up to $100,000.
In the previous article, we conducted an in-depth review of the changes being made to PIPEDA and how it they will impact organizations. New legislation compels businesses to report all data breaches that could cause humiliation, loss of employment or any other “significant harm” to an individual. Businesses will soon be tasked with keeping diligent records of all breaches of personal information that occur under their control. These records must be made available to Canada’s Privacy Commissioner upon request to verify compliance.
Seemingly, the most glaring risks associated with non-compliance are monetary. However, there is even more at stake for businesses large and small that find themselves in violation of these soon-to-be rulings.
Fines & Exposure:
Businesses need to be attentive when it comes to their notification obligations. Organizations and their directors can be liable if something goes wrong.
Failure to comply is treated as a quasi-crime that carries hefty financial repercussions. Some businesses could pay penalties of up to $100,000 for a completely avoidable incident! This could hurt, temporarily close and even destroy businesses and affect the livelihood of their employees.
An individual or organization that suffers a loss as a result of a data security
breach has a lawful right to sue the business responsible. Class action lawsuits are common in the United States and their prevalence is on the rise in Canada. Any lawsuit against your establishment is an exorbitant expense. Organizations must develop plans to respond to both the affected individual and a barrage of inquiries from the media.
Recovering from legal costs coupled with a highly public litigation process take a tremendous toll. Whether they win or lose in the courtroom, a scandal of this nature is something that no business wants tied to their name.
A public breach will most likely result in a slow-moving, time-consuming and laborious investigation by the Privacy Commissioner. If the paper trail being analyzed by the commissioner’s office reveals a sufficient lack of compliance, this could further impede the process. This can be not only costly for businesses – it can also be a reputational nightmare.
We are living in an age of hyperawareness when it comes to cyber security. This concern will only increase, and so will the detrimental after-effects of a data breach.
A breach could easily scare people away from your business. This is particularly apparent if the incident involves credit or debit card details. However, the loss of email addresses, telephone numbers and home addresses can be alarming enough for many individuals. Customers and potential investors will be heading for the hills as you are left to deal with insurmountable costs!
No business wants to see plummeting profits. No business wants to hear the tenacious negativity produced by a breach. No budget is prepared to invest large sums in public relations to try to salvage their brand.
These amendments are part of a global shift in digital privacy. As governments catch up with the demand for better citizen protection, organizations must work to remain compliant. In our final article, we will be outlining the right steps to take in order to achieve total compliance.