Blog / EQUIFAX BREACH – Update

PIPEDA stands for Personal Information Protection and Electronic Documents Act. It is Federal legislation that passed in 2015 and governs how companies (not just government agencies) are required to collect, store and protect someone’s personal information. Most provinces (including Alberta) have additional legislation that builds on PIPEDA.

CBC.CA article

REUREUTERSTERS.COM article

FASKEN.COM article

There are still several steps to go through before this becomes legislation, and some details have to be finalized, but overall it looks like the intention is to bring PIPEDA in line with the rules that exist in the E.U. This proposal has been in the works for about two years. I don’t think it’s any surprise that it is being pushed harder now.

This means that they are looking to add things like:

– Conducting official assessments of risks posed to individuals who’s data was leaked
– Mandatory notification
– Mandatory reporting (to the office of the Privacy Commission)
– Assessments to determine how the breach occurred
– Details on mitigation (to prevent re-occurrences)
– Details on the information that was breached
– Mandatory record-keeping about all breaches
– etc.

Really, there’s nothing here you wouldn’t expect. The idea is that companies have to tell people they were breached and what was stolen; they need to fix the problem; then they have to prove that the problem was fixed; they need to keep accurate records; and so on. They have to do much of this in a reasonable time-frame; otherwise there will be penalties should they don’t.

Nothing special, it’s just that now it will be a requirement and there will be deadlines attached to various items.

As the breach with EQUIFAX (and many other companies) shows, you can expect big businesses to act in their own best interests. This may or may not be in the best interest of anyone else.