Privacy experts area applauding a bill currently before parliament that would require Canadian businesses to disclose when they lose customer data, but saying it must go further and also put penalties in place.
Bill C-29 is currently before Parliament and if passed will reform the Personal Information Protection and Electronic Documents Act (PIPEDA), the privacy law governing Canada’s private sector. Amongst its revisions, the biggest change would be a breach notification requirement. Organizations would have to report to the Privacy Commissioner of Canada “any material breach of security safeguards involving personal information under its control.”
If the breach creates a risk of significant harm to any individuals, then the organization must also inform those individuals. The new provision is designed to make companies more careful when collecting and using personal information, says Robin Gould-Soil, a director of PIPEDA at the Privacy Commissioner’s office.
“It’s becoming easier and cheaper to store data, so everyone’s doing it,” she says. Organizations should be asking “should we even be collecting this information?”
But the proposed bill doesn’t actually penalize organizations that fail to report. An article about the bill by McCarthy Tetrault LLP notes that Alberta’s recently enacted breach notification requirement in its Personal Information Protection Act included financial enforcement. Organizations can be fined up to $100,000 for failing to notify.
The federal office should also use fines, says Michael Geist, an Internet law lawyer at the University of Ottawa. Otherwise some companies will be tempted to risk not disclosing to save on the bottom line.
“It’s quite clear we need to have real penalties so part of that risk assessment is the real costs associated with it,” he says.
In his blog, Geist points to U.S. jurisdictions where stiff penalties threaten organizations that attempt to keep data breaches secret. Florida has a maximum penalty of $500,000 for example, and Michigan’s maximum penalty is $750,000.
Ann Cavoukian, the Information and Privacy Commissioner of Ontario, has the power to issue orders. It’s one she uses sparingly.
“When we talk to companies, we always lead with the carront,” she says. “You can avoid privacy harm and potentially save millions that a data breach will cost you, and avoid the loss of consumer confidence.”
Still, it would be preferable for the federal office to have that power, Cavoukian says. “Having order making power is an enormous strength.”
One lawyer thinks fines wouldn’t help make the law any better. Ariane Siegel is a partner and privacy team co-leader at Aird & Berlis LLP. She favours a collaborative approach to solving privacy problems.
“I don’t think that fines themselves will necessarily make a company create an enforcement model or privacy compliance model that is any better than we have now,” she says. “Personal information is a very important resource for the company. If you upset the consumer by losing it, they’re going to leave your company and you can’t afford that.”
Bill C-29 passed its first reading in the House of Commons in October. If critics don’t like the reforms in the bill that may eventually pass, they’ll get another crack at it next year. In 2011, PIPEDA will undergo a mandatory five-year review.