After a tumultuous 2014 and a similar start to 2015, the Canadian government approved changes made to the Personal Information Protection and Electronic Documents Act, and it was officially passed into law on June 18, 2015. Known by many names, most notably called Bill S-4 or the Digital Privacy Act, this amendment to PIPEDA impacts every sector from law to health care.
The Canadian Digital Privacy Act should cause every organization to rethink their data security practices and data protection tools, as there are two distinct areas of the bill which address the need for data breach reporting and record keeping, while two separate sections call into question the disclosure of personal and sensitive information. Let's take a look at these parts of the Digital Privacy Act in order to indicate how the average organization will be affected.
Record keeping and reporting
Bill S-4 makes it clear that every organization must record and report breaches of security safeguards as well as avoid obstructing the commissioner of the investigation of a complaint or audit. If not in compliance with this ruling, the government can fine those not in adherence as such as $100,000 or $10,000 for each offense.
"Every organization must record and report breaches of security safeguard."
Furthermore, the Digital Privacy Act requires organizations to keep and maintain records of every breach of security safeguards if personal information is compromised. There is no threshold on the severity of a breach, meaning that all intrusions must be recorded and stored. If the Privacy Commissioner requests these records, organizations must comply.
This rule represents a massive challenge for organizations, as the cost and administrative hassle of keeping records for any and every incident - no matter how minor - will be enough to impact revenue and the productivity of IT team members.
The Canadian Digital Privacy Act also introduces an obligation for organizations to notify people in the event of a personal information data breach, as well as report to the Office of the Privacy Commissioner of Canada. However, this only must occur if it is "reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual." This includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.
The open-ended nature of the rule could cause significant harm to an organization's reputation, which could immediately impact revenue and spending.
Disclosure without consent
Bill S-4 permits an organization to disclose personal information without the knowledge or consent of its customers to non-law enforcement organizations in order to investigate a breach of business contract or a contravention of a federal or provincial law, if said notifying those individuals could lead to a compromised investigation. Additionally, the same rule applies in fraud investigations, especially wherein someone has been labeled a "victim of financial abuse."
To provide context to this ruling, Rogers Communications - a Canadian telecom provider - told The Huffington Post that it received around 175,000 government requests for information about customers in 2013, representing 480 per day. Under the new Digital Privacy Act, federal agencies no longer need to ask for permission before seizing that data, with about 100,000 of those requests being warrantless.
The Canadian government's ruling impacts all organizations that hold personal information.The Canadian Digital Privacy Act also enables organizations to share personal information without consent for the purpose of engaging in due diligence processes for business transactions. As a note, this rule is only in effect if that sensitive data is required to proceed with or complete a transaction. Once finished, any party in the transaction can continue to view personal information without the knowledge or consent of individuals.
What it all means
Bill S-4's details prove that our data is not at risk from only government surveillance, but from other organizations that can just claim that they have reason to see your data. This can all be accomplished without any personal consent or court order, and it means that the new amendment to PIPEDA will significantly affect everything from insurance claims to business negotiations.
What is the solution?
CloudMask provides the solution to mitigate of all risks that the Digital Privacy Act presents to organizations, associations and businesses. In Bill S-4, the definition of "personal information" is "information about an identifiable individual." With CloudMask, you can tokenize (scramble) all personal data from the minute of creation, as well as throughout its lifecycle, meaning that you no longer have "personal information," and neither do cloud providers or any of the third-party affiliates.
Accordingly, no one can see private data secured without your explicit consent and approval. With Cloudmask, the data isn't personally identifiable, meaning that corporate information and client data will always be safe and secure.
With CloudMask's Data protection under breach, infrastructure breaches no longer mean data breaches. Insecure clouds and mobile devices no longer mean insecure enterprise data. An insider possessing application and system access, no longer means seeing the data.
Watch our video and demo at www.vimeo.com/cloudmask
