Federal privacy rules that kicked in at the beginning of this year could prompt some Canadian companies to create a brand-new job title: “”Web scourer.””
The same rules may also provide the necessary momentum for hackers to steal private information from corporate Web sites and hold the data ransom,
threatening to publish it on other sites if they aren’t paid large sums of money, said Bob Burhoe, a senior partner at Rhodes & Williams Insurance Brokers of Ottawa.
Since Jan. 1, 2004, the Personal Information Protection and Electronic Documents Act (PIPEDA) has placed stringent legal obligations on a wide array of Canadian organizations to ensure sensitive electronic information on clients is used properly and doesn’t fall into the wrong hands.
“”I think everyone is in fear of PIPEDA right now because no one wants to be the test case,”” said Burhoe. “”And obviously there will be one sooner or later.””
Burhoe said companies that have highly-sensitive, electronic client information, such as finance- or health-related data, are likely to assign staff to Web-scouring duties to protect against potential lawsuits. For example, Web scourers would conduct frequent checks through search engines to see whether any of their company’s electronic information has haphazardly cropped up on external Web sites.
PIPEDA made simple</p
Canadian Standards Association offers PIPEDA primer
CATA prepares for 2004 privacy legislation
Compliance: The case studies</p
How CIBC complied with Canada’s privacy law
Royal LePage takes PIPEDA compliance online
This risk has existed for many years, said Burhoe, but PIPEDA puts the onus on the information collector to ensure it doesn’t happen. Consequently, the sale of e-commerce insurance coverage is on the rise, said Burhoe, adding that many of his clients have expressed concerns about the legislation.
“”In the past, it has been a tough sale, but I would think that with the privacy legislation, some of our clients are going to have to look at this.””
But Louis Benoit, an associate in the business department of Gowling Lafleur Henderson in Ottawa, said the possibility of companies recruiting full-time Web scourers is a bit of a stretch. While people will be vigilant in their efforts to protect themselves, PIPEDA probably won’t preoccupy company staff to the point where it is their sole focus, he suggested. Such a measure would be expensive and time-consuming.
However, a spokesman for TD Bank Financial Group described the financial institution’s compliance effort as exactly that. TD falls under the federally-regulated group of companies that have had to comply with PIPEDA since January 2001.
“”Not only was there a lot of raw data to be managed, but the systems, guidelines and implementation processes … (made) it a big project for us,”” said Jeff Keay, who declined to give an exact estimate on the cost that TD incurred when complying with PIPEDA.
“”We’re talking about a significant number of person hours and a large number of calories were spent on this project because we realized the gravity of the thing,”” he said. “”It’s not like we went out and hired 5,000 people to do this, but there was certainly in the tens or hundreds of people whose focus over the last while”” revolved around this project.
“”We have 10 million customers across the country. We knew it was a serious change in the way organizations are going to be doing things,”” Keay added.
Whether other organizations now faced with compliance will see things the same way is another story. “”At a minimum, they’ve got to revisit the issue. And a lot of organizations, such as small and medium-sized businesses, haven’t visited the issue for the first time,”” said Michael Power, a partner at Gowling’s Ottawa office.
The real driver for companies will be what Power calls “”headline risk.”” No company wants to suffer the public embarrassment of media attention surrounding the mishandling of client information, he said, adding the issue is really one of competition since customers will gravitate to companies that have a good reputation in the privacy and security arena.
Another issue is whether the federal privacy commissioner will address all PIPEDA-related complaints in due course, said Power.
“”Does the privacy commissioner’s office have the resources to address the possible flood of complaints?”” he wondered. “”Australia enacted a similar statute in 2002 and its privacy commissioner had five times the number of complaints that they originally thought they were going to get.””