If passed, Bill C-475 would lead to mandatory reporting of information security breaches.

On February 26, 2013, First Reading was given to Bill C-475, which, if passed, would amend PIPEDA to require organizations to notify the federal Privacy Commissioner of any incident involving “the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access”.

The Bill, put forward by NDP MP Charmaine Borg, lists several factors which must be considered in determining whether the threshold for mandatory notification has been met in any particular situation.

Once notified, the Commissioner may require an organization to notify affected individuals.

Bill C-475 would also amend the Commissioner’s powers following an investigation of a complaint against an organization. For example, under the new Bill, if the Commissioner determines that an organization has not complied with her orders, the Commissioner will have a right of action against the organization in Federal Court. The Federal Court may impose a monetary penalty against an organization of up to $500,000, and may also impose punitive damages.

This publication is intended to provide our general comments on developments in the law. It is not intended to be a comprehensive review nor is it intended to provide legal advice. Readers should not act on information in the publication without first seeking specific advice on the particular matter. The firm will be pleased to provide additional details or discuss how this information is relevant to a specific situation.