Data breaches are either simple negligence (the company emails private info to the wrong person, or attaches an attachment they shouldn't, or criminal acts, where the company "allows" information to be removed. Often the second involves negligence. If the inference is that negligence abused by a 3rd party removes all liability for that negligence, then the effect of that ruling would affect many other areas of law. It always amazes me how "on a computer" stumps the legal system. If the list is the reservations list at a restaurant, and it's left sitting on the host podium, and it has every reservation ever made, names and numbers, and someone can walk in and take it when the host is seating someone else, that is negligence, regardless of whether the act of taking is or is not a crime. Basic security: the list should be for the current night only. The list could be placed under unlocked glass, which provides at least a minor barrier to reduce the ability for someone to walk off with it, and locked under that same glass, if the list needs extra security (is an upscale place with VIPs someone could use the information against them). Also a cost should be assigned in law, for a data breach. $10,000 per person limit, $500 or $1000 minimum, so that these class actions don't need to prove "damages", but they are statutory. And I personally oppose the adversarial system, and I'd prefer a inquisitional system, but Spain ruined it for the rest of us (the adversarial system tends to favour those who can afford a vigorous defence, which perpetuates the class warfare).

I enjoyed the video! It's nice to see discussions about Canada-specific issues. One thing I was unsure about is whether it should be our federal government enacting these rules rather than having the Supreme Court decide?

Yes, there should absolutely be a different standard for companies that posses personal data. Attacks are now normal part of doing business. That data MUST be protected.