Data protection rules may be about to get a lot more interesting north of the border.
Canada’s proposed amendments will have the greatest impact on information security operations. PIPEDA currently requires organizations that have experienced a data breach to conduct a risk assessment covering potential misuse of the information compromised, notify both affected individuals and organizations that can mitigate harm, and maintain records of the breach for government review.
While PIPEDA applies solely to Canada, many U.S. companies may also be affected. The law states that foreign businesses that collect, use or disclose private information during a commercial activity with a “real and substantial connection” to Canada are covered. That means that a company with clients in Canada, or one that holds the personal information of its clients’ customers, is probably on the hook. Organizations should consult their legal counsel to be sure.