New Canadian rules on reporting data hacks ‘long overdue,’ critics say

The Canadian government will require that companies operating in the country report all data breaches to their customers and a privacy watchdog as soon as possible after discovery, a rule that security experts said was long overdue.

“Once in place, the regulations will reduce harm to individuals arising from breaches, and encourage stronger information security practices,” the office of Innovation Minister Navdeep Bains said in a statement on Wednesday.

Critics complained that the new rules, posted in an official registry on Saturday, had taken far too long to be developed and only brought the country’s laws up to what has been in place in many other jurisdictions for years.

“This is long overdue,” Michael Geist, a law professor at the University of Ottawa, said on Wednesday. “These rules are standard around the world.”

The mandatory breach rules flesh out a 2015 privacy law by saying a hacked company must tell affected individuals what happened when, what sort of personal information was exposed, and what they are doing to mitigate possible harm, closely aligning with similar rules in force in the European Union.

“Businesses, who may not have had this on their radar (since the legislation came into force back in 2015), will be scrambling to comply,” said Imran Ahmad, a partner focused on cyber security at Miller Thomson LLP.

An affected company must retain data breach records for at least two years after any hack. Companies that willfully and deliberately defy the new rules are liable to fines.