Pop quiz, do Canadians and Americans approach cyber security the same way? The answer is a clear and definite no. With the recent passage of HB 1078 in Washington State (see: here), it seemed appropriate to compare the legal attitudes between Canada’s Parliament and the American Senate. The resulting difference might surprise you.To start, Canada still lags legislatively when it comes to information security. To date, 47 different states, D.C., Guam, Puerto Rico and the Virgin Islands have legislations requiring mandatory notifications of data breaches involving personally identifiable information (for the full list, see here).

Compared to 51 regions requiring mandatory disclosure in the US, Canada has 3 provinces that has similar legislative requirement (Alberta, British Columbia, Quebec), with various levels of security requirements for different industries throughout the Confederation. Altogether, Canada lacks the same legal framework when it comes to information security.

So, what does this mean if you’re a business operating in Canada? To answer exactly how Canadian law impacts security and privacy this post will briefly look at the Canadian legal landscape.

 

Laws to Lookout for

Within Canada there are three general (and broad) forms of law that regulate security and privacy in Canada: the federal PIPEDA, the provincial variation of PIPEDA in Alberta, and certain health information acts. Below the three different forms of legal regulations are summarized in point form.

PIPEDA

  • A federal law that regulates and enforces privacy policy on both public and private organizations, except in cases where there is a provincial equivalent that meets the same minimum standard as PIPEDA.
  • The acronym PIPEDA stands for Personal Information Protection and Electronic Documents Act.
  • Criticized for a lack of enforceability as there is a lack of mandatory disclosure or any penalty for offending parties.
  • Possible amendment with Bill S-4, Digital Privacy Act, which would introduce mandatory disclosures of data breaches and information leaks.

 

Albertan PIPA

  • While there are other provincial forms of PIPEDA, the Albertan Personal Information Protection Act (PIPA) is different from the rest, including PIPEDA, in that it goes beyond the minimum standard by mandating organizations to take measures to protect data and introducing mandatory disclosure of data breaches and information leaks.

 

Health Information Protection Act

  • Are legislations that protect private health information. Only three provinces have privacy legislations that are similar to PIPEDA in regards to health information (Ontario, New Brunswick, Newfoundland).
  • These legislations require mandatory reporting of data breaches

 

PCI and Ecommerce

Aside from legal obligations, businesses needs to also focus on industry regulations that affects privacy and data security requirements. The most common and well known of these regulations are the standards set by Payment Card Industry Data Security Standard (PCI DSS). This standard applies to all merchants that processes, stores, or transmits credit card information, and sets a security standard for businesses and their virtual environment.

There are four distinct levels, with each level having progressively more stringent requirements. For a table of requirements please see here. For each successful data breach, the compromised merchant is escalated to a higher validation standard and will be required to adhere to the new minimum requirement.

 

Last Words

For businesses operating in Canada, information security is a must, like any other businesses operating elsewhere. While data breach notifications are not mandatory (except in Alberta and Ontario, New Brunswick, Newfoundland for health information), this may change with the possible passing of Digital Privacy Act, and with PCI compliance being a must to conduct business online, information security is vital, especially in the US.

That being said, the main difference that arises between the US and Canada, when it comes to cyber security, is the proactive stance on consumer protection and information security. Wait for part 2 for a quick scan of America’s legal landscape.

 

Sources

http://usa.visa.com/merchants/protect-your-business/cisp/merchant-pci-dss-compliance.jsp#anchor_4

https://www.gowlings.com/services/dbic/?p=15

https://www.huntonprivacyblog.com/2015/04/15/washington-state-senate-approves-amendment-data-breach-notification-law/#more-8666

http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx

https://www.pcicomplianceguide.org/pci-compliance-overview/

http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/

http://www.heritage.org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014

https://www.priv.gc.ca/parl/2014/parl_sub_140604_sen_e.asp

http://money.cnn.com/2014/05/28/technology/security/hack-data-breach/

 

White Paper - Proving Adherence to Software Security Best Practices

White Paper - Proving Adherence to Software Security Best Practices

Industry standards and the best practices for developing secure software. Please provide your email and name to receive your copy.

Success! Your copy is on the way.