Are Companies Reckless With Your Personal Data?
We’re not here to scare you into reading the ToS and PP of everything you sign up for, although you should. Many times, the language used in the documents is too complicated and redundant for most people. Sadly, many people think that the worst companies will do is sell their name and email to third parties for advertising purposes. In some cases, companies will have you agree to waive your right to collective bargaining so you can’t put together a class-action lawsuit, instead you have to settle your legal issues directly with the company. We’re guessing you don’t have several millions of dollars laying around your home to use toward battling them in court over the course of a few years.
What is PIPEDA?
On November 1, 2018, the addition of the Breach of Security Safeguards Regulations to the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect. This law imposes new mandatory notification obligations on companies should a breach involving consumers personal data occur. So what does this mean for you? It requires companies, even privately-owned entities, to have the right procedures, technology, and capabilities to both identify and quantify the details of the breach. With this, they must have the correct procedures in place to report breaches to the proper authorities.
What Are My Rights?
You have the right as a consumer that any identifiable information you furnish in good faith to a company will be protected. The Office of the Privacy Commissioner of Canada lists the following as personal information:
- Race, national or ethnic origin
- Age, marital status
- Medical, education or employment history
- Financial information
- Social insurance number or driver’s license.
Companies are now required to provide sufficient information to enable a consumer “to understand the significance to them of the breach and to take steps, if any are possible, to reduce the risk of harm that could result from it.” The law states that notices to the affected individuals must contain:
- The day on which the breach occurred
- A description of the personal information that was the subject of the breach
- A description of the steps taken by the organization to mitigate the risk of damages
- A description of the steps the affected individuals can take to reduce the risk of damages
- Contact information for the affected individual to obtain additional information about the breach.
So, while you might not read the ToS or the PP of everything you sign up for online, you can rest assured that you will be notified in the case of a breach with specific details of the incident. Along with that notification, you will receive steps you can take to reduce or mitigate the risk associated with the breach.
If you feel a company didn’t safeguard your information or if you were harmed due to a security breach, please give our team a call at (587) 410-2500. Our lawyers are experienced in dealing with cybersecurity law and we work with cyber-security experts to help lock down and safeguard our clients data.
Richard Verhaeghe has been a guest speaker for the Legal Education Society in Calgary on several occasions and has helped small businesses including other Law Firms to transition to the “Cloud” and secure their data and has written several papers on this topic.
In a time where everything is migrating to an online platform, it’s nice to have a dedicated team ready to defend your rights on the information superhighway.