As Innovation Science and Economic Development Canada (ISED) prepares to release a second version of the country’s new data breach notification standards this fall, the Information Technology Association of Canada (ITAC) hopes the latest proposed regulations will take a flexible, outcome-based approach, while also providing a grace period to give businesses time to adjust.
“We want there to be an appropriate balance between the need to protect Canadians by notifying them of data breaches, and the costs and challenges sometimes faced by businesses in in doing so,” ITAC senior director David Messer tells ITBusiness.ca.
Since 2015, data breaches have been governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), a law passed in 1998 to regulate how non-government organizations (excluding charities and not-for-profits) were allowed to collect, use, disclose, and dispose of personal data.
Under PIPEDA’s current regulations, organizations are responsible for all personal information within their control. They must also acquire consent from anyone whose data they collect; protect the information collected from loss or theft; and report data breaches that compromise its security to both the government, through the Office of the Privacy Commissioner; and to affected individuals, so they can take the steps necessary to mitigate damage; to ensure compliance with the act.
Consumers, meanwhile, have a right to examine their personal information, challenge its accuracy, and may withdraw their consent to provide said information at any time.
Canada’s current privacy commissioner, Daniel Therrien, has expressed concern that federal privacy laws including PIPEDA haven’t kept up with technology. Fortunately, ISED has been developing new data breach notification standards since last June, and released a draft version in March 2016.
Responding to the draft, the privacy commissioner’s office released a report of its own in June, though it should be noted that in a previous story the commissioner’s office said PIPEDA was “adequate” and consistent with “internationally recognized standards” when contacted by ITBusiness.ca.
There are presently a number of exceptions under PIPEDA where information can be collected, used, and disclosed without an individual’s consent, however, including reasons of national security, international affairs, and law enforcement.
BlackBerry, for example, has been known to provide the RCMP with personal user data during investigations.
There are also exceptions to the rule that individuals must be given access to their own personal information: for example, if it would reveal personal information about a third party.
The interpretation gap
In contrast to the privacy commissioner, ITAC is comfortable with PIPEDA’s current notification requirements, Messer says, though it also supports the introduction of new data breach notification regulations.
“The focus should be on protecting Canadians, improving cybersecurity, and avoiding unnecessary costs or regulatory requirements for businesses,” he says. “They need to be implemented in a way that allows businesses to incorporate them into their existing practices without unnecessary disruption.”
Back in March, ITAC hosted two webinars, attended both by ISED staff and more than 70 member companies, to discuss the scope of the proposed regulations. It also launched an online survey and established a working group to develop an industry position, resulting in a response paper the organization released on May 31.
One pronounced difference of opinion between the privacy commissioner’s analysis of the proposed regulations and ITAC’s is the role of encryption, with the commissioner’s office arguing that encryption alone isn’t enough to ensure safety and ITAC saying otherwise.
“I think a lot of companies have come around to the position that to some extent, network breaches are inevitable,” Messer says. “There’s no such thing as ‘perfect’ cybersecurity, so encryption and data-centric technologies are increasingly being employed, which I think will protect personal information and should be encouraged.”
“It’s always possible to break encryption,” he continues. “It’s always possible to break a network. But I think it needs to be seen – quite validly – as a significantly lower risk.”
Notifications are another area of concern, with ITAC believing the proposed regulations could lead to notice fatigue.
“There needs to be a real focus on risk,” Messer says. “If the government insists that everyone uses their standard form, then everyone will begin ignoring standard forms, and then notifications will become meaningless.”
In their current form, the regulations require companies to notify consumers of any breach that carries a “real risk of significant harm” – but their definition of “risk” is subjective, and could easily apply to breaches that pose little to no threat, he says.
ITAC also believes that whatever it chooses to do, the federal government needs to help facilitate its new data breach reporting laws – by introducing accreditation and support programs to help businesses make sense of the cybersecurity landscape, for example, so that meeting the new requirements is as painless as possible, Messer says.
He also disagrees with proposed regulations that would require companies to keep records for five years.
“If the goal is to recognize patterns in data breaches and help create ways for other businesses to protect themselves and their customers, the government needs to recognize that the cybersecurity landscape is constantly evolving – so if you look at records five years back, they’re not going to be very useful in protecting someone in the current landscape,” Messer says.
Instead, ITAC suggests implementing a record-keeping period of no more than 24 months, with the new standards defined in a flexible enough way that businesses can easily incorporate them into their current practices.
“It doesn’t need to be an intense process with a lot of requirements,” he says.
Notifications can be a good thing
Ann Cavoukian, who served as Ontario’s Information and Privacy Commissioner from 1997 until 2014 and now works for Ryerson University’s Privacy and Big Data Institute, says that while she agrees with ITAC that the new data breach notification laws should not stand in the way of innovation, she also believes the companies the organization represents need to respect the extent to which data breaches leave consumers feeling vulnerable – and the important role notifications can play in retaining them.
“It all depends on how you frame it,” she says. “If you’re honest with your customers, and say, ‘these are the measures we took, but despite our best efforts there was a data breach and we wanted to notify you as quickly as possible – here’s what you can do about it,’ I think that can increase your trustworthiness with your customers.
“I think the Privacy Commissioner is taking a very principled position,” she continues. “I don’t disagree with ITAC that data breach notifications should not stand in the way of innovation and prosperity… but companies need to realize that notifying their customers of a data breach can actually be a positive.”
Cavoukian’s message to businesses is that they need to embed privacy protection measures into their operations, including data storage, software platforms, privacy policies, and the like. Not only will it not impede creativity and innovation, she says, it might help your company move ahead of the game.
“I don’t want in any way to appear that I’m opposing what the Privacy Commissioner is saying,” she says. “You can have privacy and functionality. It’s not an either/or proposition. What we really have to get rid of is the type of zero-sum, win/lose thinking that has plagued us for far too long.”