The Digital Privacy Act
(Bill S-4)

The Digital Privacy Act (Bill S-4)

What businesses should know about new data breach notification laws

Businesses are required to report data breaches involving individuals' personal information.

In the event of a material data breach, businesses are required to notify affected individuals and The Privacy Commissioner. Businesses of all sizes are required to report data breaches.

All organizations are vulnerable: 62 percent of security breaches occur in small to mid-sized businesses (Symantec Internet Security Threat Report).

Examples of small business data breaches:

  •  Theft of a computer from an accountant's office exposed tax records of 800 clients.
  •  An employee of a medical office lost a computer thumb drive containing 1,200 files.
  •  Identity thieves accessed financial records of 2,000 investment clients through employee-installed peer-to-peer software.

What can a data breach cost* per affected individual?

Direct cost - $108:

  •  Legal review, forensic IT, preparation of notification letters, identity fraud alert services Indirect cost - $147:
  • Time, effort and other organizational resources spent to resolve the breach
  • Reputational loss and customer churn are additional consequences Ponemon Institute, Cost of Data Breach Study Canada, 2017

Typically, commercial property and liability policies may not cover data breach costs.

HSB Canada data breach coverage pays for costs of notification and response.
Policyholders receive free access to eRiskHub® data breach risk management tools.
Coverage also pays for services to affected individuals, such as fraud alert and identity recovery case management.