Under Alberta’s breach notice law, do the notification obligations apply to personal information that is encrypted?
Unlike most U.S. laws there is no specific reference to encryption under Alberta’s breach notice law, and therefore no explicit encryption safe harbor. However, practically speaking, the definitions and triggers in Alberta’s law may preclude notice obligations with respect to encrypted personal information. For example, organizations may argue that, with respect to encrypted personal information, a reasonable person would NOT consider that there exists a real risk of significant harm to an individual whose personal information was lost or subject to unauthorized access. Conclusion Alberta’s breach notice provisions are very interesting, especially when compared and contrasted against the approach of U.S. states. It will be even more interesting to see if Alberta’s law becomes the model for other provinces, and whether it will have a similar impact on Canadian organizations as it did in the United States.
Related Questions
- What is the risk of harm threshold under Alberta’s breach notice law, and how does it operate in terms of the individuals who must be notified?
- What breach notification obligations are set forth in Alberta’s breach notice law?
- How is a "security breach" defined that would trigger Albertas breach notice law?
