If passed, Bill C-475 would lead to mandatory reporting of information security breaches.

On February 26, 2013, First Reading was given to Bill C-475, which, if passed, would amend PIPEDA to require organizations to notify the federal Privacy Commissioner of any incident involving “the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access”.

The Bill, put forward by NDP MP Charmaine Borg, lists several factors which must be considered in determining whether the threshold for mandatory notification has been met in any particular situation.

Once notified, the Commissioner may require an organization to notify affected individuals.

Bill C-475 would also amend the Commissioner’s powers following an investigation of a complaint against an organization. For example, under the new Bill, if the Commissioner determines that an organization has not complied with her orders, the Commissioner will have a right of action against the organization in Federal Court. The Federal Court may impose a monetary penalty against an organization of up to $500,000, and may also impose punitive damages.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.