TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Canada Dashboard Digest | Notes from the IAPP Canada Managing Director, April 8, 2022 Related reading: Former Canadian privacy commissioner was unaware of RCMP's spyware use



I know I often take a light tone in this space and, thankfully, you indulge me. Today, however, I’m going to rant about something that has been annoying me this week.

By way of background, at our firm we do a fair amount of breach work. In Canada, for the most part, the regime is currently not the craziest. Can you imagine experiencing a breach in the United States where you must potentially report to 50 different regulators?! But, with Quebec coming on board soon we now have three different regimes that need to be considered and dealt with when a breach of security safeguards happens. It has the potential of getting worse and that’s why I really hope for some interoperability and consistency across our jurisdictions.

Another big issue is whether we will ever have our regulators come out with consistent decisions on the thresholds for reporting these incidents. The threshold in Canada is that you must report if there is a real risk of significant harm, warmly referred to as RROSH. Sounds more like a dance than a risk threshold, but whatever.

It might not be the best language to use as a legal threshold because it’s too easy to interpret differently depending on who you are, your background and what you’ve experienced.

Case in point is that the Office of the Information and Privacy Commissioner of Alberta has always said the RROSH threshold is met if what was exposed was a name and email address. Yup, that’s it! For them, the bar is so low that just about everything meets the threshold. And, they don’t publish their decisions where they don’t think the threshold is met, so we can’t really gain insight on their thinking.

I don’t think having my name and email address breached by an organization would meet the RROSH threshold, but I want to know what you think. Do you become somehow more vulnerable to significant harms if your email address has been breached? Maybe in some situations, yes, but I would’ve thought that would not be the norm. These days it could be considered the equivalent of having your mailing address out there.

My son recently took issue with the RROSH threshold and suggested to me that better language would be to report a breach if there is imminent probability of significant personal negative affliction. I don’t know if that fixes the problem, but it might be an idea to explore. Another one would be to have our regulators (and I’m speaking on a global scale here) come together and start interpreting these standards in a more consistent manner.

OK, rant over. I promise to be super friendly to any DPAs I see in D.C. next week and not rail on them about this issue — at least not too much.


If you want to comment on this post, you need to login.