Canada: Barbarians At The Firewall: Data Breaches, Cross-Border Commerce And Notification Requirements In Canada And The United States

The fallout for companies from data breaches is immense, as consumer trust and investor confidence is eroded and the financial costs run into millions of dollars.

CYBERCRIME, principally data breaches and the theft of personal and corporate information, now ranks as one of the top economic crimes worldwide. Cybercriminals do not discriminate. Hackers are truly equal-opportunity actors.

There is no area of the world, no company, no government agency and no sector of the economy that is immune from cyberattack. Iconic companies such as Target, Blue Cross Blue Shield, Anthem, Neiman Marcus, Home Depot, T.J. Maxx, Sony, J.P. Morgan and Heartland Payment Systems have suffered data breaches. Government offices, including, most recently, the Office of Personnel Management in the United States, have likewise been targeted. As Fortune magazine (July 1, 2015) put it, quoting an old line, in an article about the hacking of Sony Pictures ("The Hack of the Century"), there are two kinds of companies: "Those that have been hacked, and those that don't yet realize they've been hacked."

Retailers have been especially vulnerable to data breaches. According to the 2014 Trustwave Global Security Report, retail was the top industry compromised by data breaches, accounting for 35 percent of attacks investigated. The food, beverage and hospitality industries accounted for 29 percent of total breaches. Finance and professional services accounted for a further 17 percent of intrusions.

The fallout from data breaches is enormous. The consequences of a hack can damage company performance for years. The financial costs alone – in terms of investigation, containment, remediation, credit card replacement expenses, credit-monitoring expenses, regulatory fines, penalties imposed by credit card brands and litigation – can be significant, running to the millions and even tens of millions of dollars. For example, The New York Times (August 5, 2014) reported that the data breach suffered by Target cost the company $148 million. Home Depot's quarterly SEC filing indicated that it incurred $43 million in data-breach-related expenses in the third quarter of 2014 alone. According to a report issued by IBM and the Ponemon Institute in May 2014, the average cost of a data breach for the companies it surveyed across all sectors of the economy was $3.5 million. And a study published in 2014 by McAfee (Net Losses: Estimating the Global Cost of Cybercrime) estimated the total cost of cybercrime to the global economy at more than $400 billion.

In addition to the direct economic cost of an intrusion, data breaches usually have serious reputational consequences for the breached entity. For example, intrusions can have a negative impact on how the company is viewed by consumers and investors alike. Data breaches erode consumer trust and investor confidence. The recent hacking of the Ashley Madison website is a graphic, if not unique, example of the way a data breach can call into question the long-term viability of an online company's business model.

In some instances, data breaches have led to the loss of shareholder value. For example, Heartland Payment Systems, one of the largest processors of credit card transactions in the United States, suffered a data breach in 2008 that resulted in the exposure of account data linked to over 100 million credit cards issued by more than 650 financial service companies. That intrusion is reported to have cost the company almost $40 million. Worse still, following the announcement of the breach, Heartland's stock price plummeted 77.6 percent.

Data breaches have also spawned class-action litigation on both sides of the 49th parallel, involving, among others, Sony Corporation, Home Depot and Target. Forty-four lawsuits were commenced against Home Depot in Canada and the United States. Jurisdictional considerations have placed some restrictions on class-action plaintiffs regarding their ability to file suit in a cross-border breach context. A class action commenced against Target before the Superior Court of Québec was dismissed on March 23, 2015, on the grounds that the court did not have jurisdiction over Target. In coming to this decision, the court noted that by the plaintiff's own admission, the breach occurred in the United States and affected only persons who shopped there. In fact, it was for this reason that Target's Canadian subsidiary – which had in the interim ceased its operations and sought creditor protection under the Companies' Creditors Arrangement Act – was not named as a defendant in the Québec proceedings.

Technology has turned the world into a highly connected place. In many ways, the Internet has dissolved the traditional boundaries of cross-border commerce. The Internet – and especially the ecommerce phenomenon – has given even the smallest of businesses a global reach. Although the benefit of electronic-based business is undoubted, companies carrying on business (in whole or in part) through the Internet should adopt policies for dealing with data breaches, including notifying potential users and regulatory authorities. These policies must take into account that an intrusion may require the organization to comply with many extraterritorial regulatory schemes dealing with data-breach notification.

Many European countries, and an increasing number of jurisdictions in the United States, require businesses and other organizations to report the unauthorized accessing of personal or financial information to the authorities. In Canada, legislation at the federal level (the Personal Information Protection and Electronic Documents Act, or PIPEDA) and some provincial jurisdictions establish obligations regarding the collection, use, disclosure and handling of personal information. For now, however, there are few mandatory reporting requirements in Canada following a data breach.

On June 18, 2015, the Digital Privacy Act (the Act) came into effect in Canada. It amended PIPEDA by introducing significant amendments to the private-sector privacy regime. The amendments include mandatory data-breach notification rules. However, those rules will only come into force once regulations are complete.

Once in effect, the mandatory notification rules introduced by the Act will require an organization to report a data breach to the Privacy Commissioner if the organization reasonably believes that the intrusion creates "a real risk of significant harm to an individual." The assessment of what constitutes a real risk of significant harm will be based on a number of factors, including the sensitivity of the information compromised and the probability that the information in question has been, is being or will be misused. "Significant harm" is broadly defined and includes bodily harm; damage to reputation or relationships; humiliation; loss of employment; financial loss such as the impact on a person's credit record; identity theft; and damage to or loss of property. In these cases, the breached entity must do the following:

  • Report the breach to the Privacy Commissioner as soon as feasible.
  • Notify the individuals affected (unless prohibited by law from doing so). Such notification must be conspicuous and must, if possible, be given directly to the individuals affected.

    The notice must be sufficiently explicit to allow the individuals to understand the significance of the breach and take whatever remedial steps may be required.
  • Notify other organizations, including the government, if notification can mitigate the risk resulting from the breach.

Failure to comply with the Act's data-breach rules can result in fines of up to C$100,000.

PIPEDA's reporting requirements will apply to any organization that collects, uses or discloses personal information in the course of commercial activities, including federal works, undertakings and businesses.

Although Ontario, Newfoundland, New Brunswick and Nova Scotia have enacted legislation requiring notification in the event of the compromise of health-related personal information, only Alberta currently has a private sector-wide data-breach notification requirement. In that province, the Personal Information Protection Act (PIPA) requires organizations to notify the Alberta Privacy Commissioner if personal information under their control is accessed without authorization in circumstances in which a reasonable person would consider that there exists a real risk of significant harm to an individual.

The Alberta Privacy Commissioner may in turn require the breached entity to notify the affected individuals if he or she determines that there is a real risk of significant harm as a result of unauthorized access or disclosure. Factors to be considered under PIPA in order to determine whether a real risk of significant harm exists include the number of individuals affected, the maliciousness of the breach, the sensitivity of the information, whether there are indications that personal information was misappropriated for nefarious purposes and the harm that could result.

Manitoba passed the Personal Information Protection and Identity Theft Protection Act (PIPITPA). PIPITPA contains a broad breach-notification obligation that will, once in force, require an organization that collects or uses personal information to notify an individual if personal information in its control or custody is accessed, stolen or lost in an authorized manner. Unlike PIPEDA or PIPA, there is no "real risk of significant harm" threshold. Nor is there any obligation to notify the Privacy Commissioner of a data breach.

Although the United States does not currently have a broad-based data breach notification law, on January 12, 2015, President Obama proposed the Personal Data Notification & Protection Act. This legislation would create a federal standard for data-breach notification. It would apply to a wide variety of "sensitive personally identifiable information." It would also require notification directly to the individuals concerned and through the media if a security breach creates a risk of harm. If a breached entity determines that a risk of harm exists, it must notify the Federal Trade Commission within 30 days of discovering the breach. Businesses would also be required to notify federal law enforcement and national security authorities of a data breach if the sensitive personally identifiable information of more than 5,000 individuals was accessed or acquired or if the intrusion involved a data system containing sensitive personally identifiable information of more than 500,000 persons across the United States.

The majority of states have enacted data-breach notification laws applicable to affected individuals resident in such jurisdictions (a complete list of the relevant state laws may be found at The various state laws are similar, but they do have significant variations, including what constitutes a breach that triggers the obligation to notify. In many jurisdictions within the United States, time is of the essence when reporting data breaches.

In addition, companies in industries such as banking and financial services, insurance and healthcare may be subject to certain state and federal industry-specific breach notification requirements.

Regulatory authorities at both state and federal levels in the United States can impose significant fines and penalties for non-compliance with notification requirements, including late notification. In some cases, a breached entity's exposure to fines and penalties will increase if it is found not to have complied with applicable data privacy and security standards. For example, companies subject to regulatory scrutiny by the Federal Trade Commission may be subject to enforcement for unfair or deceptive acts or practices under the Federal Trade Commission Act. The FTC has interpreted "unfair acts or practices" to include the failure to adopt appropriate data-security measures to protect personal information and has brought enforcement actions against companies that have suffered data breaches.

The application of various state laws is typically based on the place where the person whose data was compromised resides. In many cases, state laws will apply irrespective of where the breached entity's place of business is located or where the compromised information was held. This means that Canadian companies could be subject to US state data-breach legislation requiring them to give notice to United States-based customers in the event of a data breach. It is critical, therefore, that Canadian companies with customers located in the United States be aware of potential reporting requirements when faced with a data breach.

Originally published in Lexpert's 2015 Guide to the Leading US/Canada Cross-Border Litigation Lawyers in Canada, November 2015.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.