The recently introduced C29 amendment to the Canadian Personal Information Protection and Electronics Documents Act (PIPEDA) is a sign that the Canadian government is stepping up its efforts to raise the visibility of data breaches through expanded data notification requirements. This week’s SC magazine article entitled “Canada’s newly introduced data breach is a start, but it lacks teeth” raises the question of whether this legislation goes far enough. Under the C29 amendment, banks, retailers and other companies are required to report any “material breach of security safeguards involving personal information under their control.” In the amendment, the focus is on notification not specifically prevention.
While it is some consolation to the individual to know that they will be informed if their personal information has been breached, it would be a lot more reassuring to hear that corporations are required by law to implement safeguards to protect their information. The recently introduced Massachusetts legislation CMR-17 is a good model for legislation that goes significantly further than setting regulations for notification and extends to requirements for data breach prevention.
While data breach notification regulations are a good step in the right direction, an ounce of prevention is worth more than a pound of notification.
No related posts.