February 04, 2016
The data breach notification requirement imposed by Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has some legal experts analyzing the various possibilities for the as-yet-unreleased notification threshold (read about the PIPEDA notification requirement in our bulletin, “Long-Awaited PIPEDA Amendments Become Law”). In an article examining the implications of the eventual threshold, the Law Times sought comment from senior associate Molly Reynolds who, as part of Torys’ Privacy Practice, regularly advises on privacy law compliance and data security best practices. Below is an excerpt of the article.
To measure the risk in each case of a breach, and to evaluate on a case-by-case basis, can be difficult, [Molly] Reynolds says, but there has to be consistency in the way companies assess privacy breaches and that they’re reporting the same kind of incidents as other industry participants.
Real risk of significant harm has to mean more than a mere possibility of harm, says Reynolds. “Beyond the need for a clear standard that can be consistently applied by businesses and the OPC, a threshold on the higher probability end of the risk of harm spectrum would benefit individuals, businesses, and the regulator,” she says.
“Individuals could experience notification fatigue or not be adequately equipped to determine which breaches pose a significant risk,” she continues, adding consumers’ attention should be sought only when breaches pose a probability of significant harm.
To read the full article, click here.