Compared to 51 regions requiring mandatory disclosure in the US, Canada has 3 provinces that has similar legislative requirement (Alberta, British Columbia, Quebec), with various levels of security requirements for different industries throughout the Confederation. Altogether, Canada lacks the same legal framework when it comes to information security.
So, what does this mean if you’re a business operating in Canada? To answer exactly how Canadian law impacts security and privacy this post will briefly look at the Canadian legal landscape.
Laws to Lookout for
Within Canada there are three general (and broad) forms of law that regulate security and privacy in Canada: the federal PIPEDA, the provincial variation of PIPEDA in Alberta, and certain health information acts. Below the three different forms of legal regulations are summarized in point form.
- The acronym PIPEDA stands for Personal Information Protection and Electronic Documents Act.
- Criticized for a lack of enforceability as there is a lack of mandatory disclosure or any penalty for offending parties.
- Possible amendment with Bill S-4, Digital Privacy Act, which would introduce mandatory disclosures of data breaches and information leaks.
- While there are other provincial forms of PIPEDA, the Albertan Personal Information Protection Act (PIPA) is different from the rest, including PIPEDA, in that it goes beyond the minimum standard by mandating organizations to take measures to protect data and introducing mandatory disclosure of data breaches and information leaks.
Health Information Protection Act
- Are legislations that protect private health information. Only three provinces have privacy legislations that are similar to PIPEDA in regards to health information (Ontario, New Brunswick, Newfoundland).
- These legislations require mandatory reporting of data breaches
PCI and Ecommerce
Aside from legal obligations, businesses needs to also focus on industry regulations that affects privacy and data security requirements. The most common and well known of these regulations are the standards set by Payment Card Industry Data Security Standard (PCI DSS). This standard applies to all merchants that processes, stores, or transmits credit card information, and sets a security standard for businesses and their virtual environment.
There are four distinct levels, with each level having progressively more stringent requirements. For a table of requirements please see here. For each successful data breach, the compromised merchant is escalated to a higher validation standard and will be required to adhere to the new minimum requirement.
For businesses operating in Canada, information security is a must, like any other businesses operating elsewhere. While data breach notifications are not mandatory (except in Alberta and Ontario, New Brunswick, Newfoundland for health information), this may change with the possible passing of Digital Privacy Act, and with PCI compliance being a must to conduct business online, information security is vital, especially in the US.
That being said, the main difference that arises between the US and Canada, when it comes to cyber security, is the proactive stance on consumer protection and information security. Wait for part 2 for a quick scan of America’s legal landscape.