The Canadian Internet Policy and Public Interest Clinic is gunning for the federal government, requesting that it make changes to PIPEDA that would force businesses to disclose IT security breaches to those whose information might have been leaked.
PIPEDA is in the midst of its five-year review, which is being conducted by the House of Commons Standing Committee on Access to Information, Privacy, and Ethics.
The University of Ottawa-based Canadian Internet Policy and Public Interest Clinic (CIPPIC) submitted a set of recommendations to the committee about changes to PIPEDA, which include their recommendation to make it mandatory for businesses that have suffered a security breach to report it to clients who could be negatively affected. In support of its recommendation, CIPPIC has released a white paper that summarizes the state of breach notifcation law in the United States and its case for bringing mandatory breach notification up north.
No breach notification laws exist in Canada. Businesses in this country are only governed by the PIPEDA requirement for companies to employ reasonable security measures, allowing major security breaches to fall through the cracks behind consumers’ backs. CIPPIC has also chosen to go the federal route to avoid making the same mistake the U.S. did, the white paper says.
For example, there are currently more than 30 states with breach notification laws. California led the charge in 2003, due, said CIPPIC executive director and general counsel Phillipa Lawson, the rise in identity theft and other IT security breaches dangerous to the public. Fast-forward two years later to 2005, and American data aggregator company ChoicePoint had been handing out reams of private, sensitive information to Nigerian criminals unawares. Once it got wise to the scheme, its legal team advised executives that Californian law required it to admit this breach to its Californian clients. It did so — but neglected to inform its many clients from the 49 other states. When this eventually surfaced in the media (along with other security breaches), there was a major outcry and, according to David T.S. Fraser, a privacy lawyer with the Halifax-based law firm McInnes & Cooper, some states got on board. “But in the U.S., there is no general national privacy law, so there is a real patchiness,” he said.
“Inevitably, you’d have gaps (between province-to-province legislation). There’s no reason for that — this issue affects us all,” said Lawson. Evidence from a recent HarrisInteractive poll seems to confirm this, albeit in the States — 49 million Americans have been notified of security breaches over the the last three year, and of those people, “19 per cent (approximately 9.3 million people) believe that something harmful had happened to them as a result of the breach,” according to the white paper. Forty-three per cent had merchandise bought in their name, while 18 per cent had money actually taken directly from their bank account.
“Critics of the legislation say that it’s a waste of time and money, and that most cases don’t end up in identity theft. They’re probably right in most cases but this report shows that it’s much larger than the one to five per cent they were thinking,” said Lawson. She said that many businesses oppose the idea, scared that revealing such a gaffe could cause it great reputational harm. Or, often, the cost-benefit analysis shows that such a move would be unwise, due to the cost involved in phoning or mailing hundreds of thousdands of clients.
When it comes to such a large-scale acknowledgement, CIPPIC offered concessions to soften the blow. While the legislation would still call for timely action, companies that need to reach an immense number of people could resort to spreading the word via a Web site or newspaper advertisements. She feels that notifying clients of even the most gargantuan of breaches could be seen in a positive light. “But people would rather know. Consumers will respect them for it,” Lawson said.
Fraser agreed. “It’s not so much the crime, but the cover-up. Trust can be saved if you come clean and acknowledge that something’s gone wrong.”
And even if compaies still dreaded being forced to come clean, Lawson said, the fear of public embarrassment could help businesses streamline their IT security, resulting in fewer breaches in the first place.
Another criticism of breach notification law is that constant updates about the tiniest security breach could numb people to real threats. Thompson said, “If you’re going for new legislation, you have to proceed carefully.”
CIPPIC’s recommendations are very simple — businesses would just have to examine two factors. “They’d have to see whether sensitive information — name, social insurance number, et cetera — has been leaked, and if so, is it actually readable?” Lawson said. If it’s a borderline case (say, the encryption is there, but it’s poor), companies can consult the Privacy Commissioner on the best course of action. In fact, all breaches, under the proposed legislation, would be reported so that Canada could start security breach statistics of their own.
Canadian companies who do business with the U.S. already must comply with local state data breach notification laws, which Lawson said may contributeto the climate for similar rules here, and she is positive about CIPPIC’s chances for getting this amendment through: “I sense that this committee isleaning favourably toward this amendment.”