alberta enacts breach notification requirement

Alberta’s Personal Information Protection Amendment Act, 2009 came into effect over the weekend (May 1, to be precise). The amendments included a variety of changes but perhaps most notably include a new notification requirement if an organization experiences a security breach.

The Alberta government has come out with a brochure (PDF) to help organizations understand their obligations under this new requirement. Here’s the Coles Notes version:

  • you must notify the Alberta Privacy Commissioner of any loss, unauthorized access or unauthorized disclosure of personal information without delay
  • notification is mandatory (i.e. it’s an offence if you don’t) if a reasonable person believes there is a real risk of significant harm to an individual as a result of the breach and optional if it isn’t
  • the Commissioner then decides whether individuals need to be notified. If they do, the Commissioner will tell you and you will need to comply accordingly

The brochure itself contains helpful explanations, examples and illustrations on some of these concepts, such as what is meant by “real risk of significant harm” and who is responsible for notification, which I won’t regurgitate here.

While this is old hat in the US, with many (most?) US states already having having such requirements in place, it is relatively new in Canada. Apart from the somewhat terse breach notification requirements under the Ontario Personal Health Information Protection Act, Alberta’s legislation appears to be the first in Canada. The concept however has been subject to discussion for some time now. Other provinces (I believe Newfoundland and New Brunswick) have legislation pending along the same lines, but Alberta’s is the first to address breaches relating to personal information generally, not just health information. The Uniform Law Commission of Canada has also studied the matter a fair bit and came out with a report and draft legislation (PDF) last year. John Gregory, the General Counsel of the Ontario Ministry of the Attorney General, has also given presentations (PPT) on the topic.

In short, all this points to the fact that it isn’t a question of whether there will be such requirements throughout Canada, but rather when. Organizations that hold a significant amount of personal information would be well-advised to consider the adequacy of their existing security measures and whether they need to be upgrade, given the potential cost of security breaches in light of these requirements.

unlimited liability in british columbia!!

I kind of liked the ring of that – sounds rather tabloidly, with a bit of a legal touch. Obviously not as exciting as Sir Black’s trial but then again, what is?

In any event, if you happen to be a US company looking to do business in Canada or to buy a Canadian business, unlimited liability corporations are very cool because they allow US companies “flow-through” and “check the box” treatment for tax purposes.

Previously, in Canada, it was only Nova Scotia that had them, and they charged rather handsomely for them, since they were the only game in town. However, Alberta has recently enacted similar legislation out there (and word has it that it a bit less expensive) and, as I just heard a bit earlier today, apparently BC will also be doing so shortly.

So, for you US tax mavens out there, the next time you look longingly at Halifax with misty eyes at the thought of tax savings to be had on the shores of Nova Scotia, you would also do well to cast your eyes westward to the rising sun (and lowering fees!) of BC and Alta ULCs.