Venyu Blog

Proving that the blight of the data breach knows no borders, Alberta, Canada has become the first province to add a data breach notification requirement into its legislation. The new measures were added into its Personal Information Protection Act (PIPA) on May 1 and are now law.

According to the article published in SC Magazine, the amendment requires organizations to notify individuals that are placed at risk by a security breach, outlining the circumstances of the breach, the time period during which it occurred, and the personal information that was lost. The notification must give this information to the Alberta Privacy Commissioner, along with an assessment of the risk of harm to individuals, and quantify how many are likely to be affected. Companies must outline what they have done to reduce the risk of harm and notify the victims.

Erika Ringseis, an associate in the Calgary Labour and Employment Group at legal firm McCarthy Tétrault, said that the Alberta amendment is likely to have a significant impact on data breach notification practice across the country.

“This is now going to be the standard, the way things are done,” she said, arguing that companies were already accepting data breach best practice guidelines in Alberta anyway. If a national business operates in Alberta at all, the amended legislation will effectively set the baseline for that organization’s activities across the country. “What has been slowly happening in any regard is now going to be done on a larger scale.”

All I have to say is “what took them so long, eh?”