Mr. Speaker, the amendments in this legislation introduce requirements for organizations to report potentially harmful breaches of information security safeguards, like data breaches. For example, if there is a data breach on credit card information on a website, they have to report that information to the Privacy Commissioner immediately and also notify the affected individuals. It is a dual track of accountability. If someone involved in e-commerce is purchasing something on a website and that website may have been hacked and the person's information has been potentially lost or stolen, there is an immediate responsibility for the firm that has lost the information to report it directly to the Privacy Commissioner and also to the people who are affected. There is a dual track of accountability, and this is essential.
Failing to report these kinds of data breaches to either the individuals or the Privacy Commissioner would result in facing a penalty of up to $100,000 per offence. If there is a data breach of, say, a few hundred customers whose credit card information may have been stolen and that data breach is not reported to both the Privacy Commissioner and the individuals, in every single instance, there is up to a $100,000 fine. That is a stiff penalty, but we think it is necessary.
As more and more Canadians are migrating their businesses and academic pursuits online, we need to make sure information is being protected, not only by the government but obliquely by firms, and that they take their privacy obligations very seriously, stay ahead of the technological curve, and stay ahead of those who would want to steal people's information and use it for violations of their privacy and self-interest.