What notification obligations does an organization have if its service provider suffers a breach involving personal information?
The Alberta law applies to an organization that has personal information “under its control.” On its face, this control standard appears ambiguous when a service provider breach has occurred. If personal information is stored offsite on a service provider’s computer, but is accessible to an organization, is it under the “control” of the organization or the service provider (or both)? Unlike U.S. breach notice laws, Alberta’s law does not distinguish between the “owner” or “licensee” of personal information and the “service provider” (whose typical breach notice obligation under U.S. laws is to report the breach to the owner/licensee). This of course begs the next question.
Related Questions
- What notification obligations does a service provider have if it suffers a breach involving personal information of its customers?
- What is meant by Corporation/Organization under the Type of Customer and Type of Service Provider fields?
- What breach notification obligations are set forth in Alberta’s breach notice law?
