The U.S. government is planning to bolster protection of consumer data through a new law requiring companies to report data breaches – and that law could set a new standard for the way Canada is structuring its own privacy laws.
Last week, U.S. President Barack Obama announced he was proposing a law called the Personal Data Notification and Protection Act, which would establish ground rules for how organizations handle consumer data.
The exact wording of the law hasn’t been released yet, though the President is expected to give more details during his State of the Union address on Tuesday. However, Obama has said the law calls for U.S. companies to notify customers of a data breach within 30 days of finding it – a move likely motivated by recent high-profile breaches where major retailers Target and Home Depot failed to quickly inform customers whose personal data had been stolen.
The proposed U.S. law is a good sign for Canadian privacy advocates, who say the President’s announcement shows he views data breaches as a serious concern.
“At least getting it said out loud, that they have to have an overarching data breach privacy statute, is a positive step,” said John Lawford, executive director and general counsel of the Public Interest Advocacy Centre in Canada. “We’d have to see the wording, but it might help with [Bill] S-4 here.”
Does Canada’s Digital Privacy Act need a sharper edge?
In April 2014, Industry Minister James Moore announced the Digital Privacy Act, or Bill S-4. Designed as an update to the Personal Information Protection and Electronic Documents Act (PIPEDA), the bill would compel businesses to keep records of data breaches in case the federal Privacy Commissioner wanted to check them. However, it does not necessarily force them to notify customers – that would only be required if it’s clear consumer data is at risk.
Canadian privacy advocates are hopeful that if Obama’s proposed law has teeth, they will be able to brandish it in front of Canadian lawmakers and demand changes for Bill S-4, which is currently in front of a House of Commons committee for review. Like other privacy advocacy groups, Lawford and his team have made a request to appear in front of this committee.
“We’ll just show up and say the same thing we said in front of the Senate – the way this is worded, this changes nothing. It still is a licence to do what you want, in terms of whether you report breaches or not,” he said, adding he hopes the U.S. has created an objective harm test for its law.
That means that if third parties – not the companies themselves – have reasonable cause to believe harm could come from a data breach, customers would have to be informed. This model would force businesses to reveal data breaches, removing any “conflict of interest” for organizations that want to protect their reputations, Lawford said.
“Then we would go to the House committee and say, look, in the U.S., they’re about to pass an act that actually works. Why don’t you copy it?” he said. However, he added he doubts any changes will be made, given Daniel Therrien, the federal Privacy Commissioner of Canada, has already shown his support for the bill.
In a submission to Parliament dated June 4, 2014, the Office of the Privacy Commissioner released comments saying it did not feel it was necessary to ask organizations to inform individuals of every breach that occurred, saying it wouldn’t be “practical or efficient.”
Instead, in the submission, the Privacy Commissioner’s office said it would be better to allow organizations to “assess each incident on a case-by-case basis to determine the seriousness of the incident and its potential impact on the affected individuals. Furthermore, we believe that the organization experiencing the breach is in the best position to assess the risks to decide whether notification is warranted.”
Commissioner Therrien was not available for an interview, but a spokesperson for his office provided a statement in an email, saying the office “strongly supports” the breach notification provisions in the bill.
Status quo fine by retailers
For Stephen O’Keefe, a retail consultant for the Retail Council of Canada, the current requirements for data breach reporting are fair. Laws calling for mandatory data breach reporting wouldn’t give retailers enough time to respond, which is one criticism U.S. retailers have expressed of Obama’s proposed act.
“Here’s the challenging aspect. When you suspect any type of a crime, there’s a period of time as an investigative body where you want to control all of the information because you don’t know what’s happening exactly yet. You don’t have the scope of the problem clearly outlined to where you can communicate what happened,” O’Keefe said, noting retailers need time to do their due diligence and figure out where a breach may have occurred.
“I think this is written very much the way any act is written in Canada, with a little bit of room for interpretation,” he added. “I don’t think there’s any difference between having it say ‘reasonable,’ and having all suspected breaches reported. Because I’ll tell you the truth, the suspected breaches, the Office of the Privacy Commissioner of Canada would not have the infrastructure to investigate every suspected breach.”
Asked how retailers can catch data breaches, given not every retailer has the resources for IT staff, security software, or extensive penetration testing, O’Keefe said there are “minimum standards” for any company that wants to accept debit or credit cards, like the Payment Card Industry’s (PCI) Data Security Standards, which is set by the PCI Security Standards Council.
“My expectation, if I’m using a credit card at a terminal, is that the company has exercised good due diligence in protecting the information. So if you’re talking about it from a resource standpoint, it is the cost of doing business,” he said, adding even small mom and pop stores can get help with their security by hiring part-time consultants.
Potential compromise involves privacy watchdog
Still, privacy advocates are determined to keep pushing the appointed House of Commons committee for amendments, especially where consumer data is concerned.
“I think certainly, when there is doubt about [the seriousness of a data breach], we should err on the side of informing individual customers, particularly given the issue of identity theft,” said David Christopher, communications manager at OpenMedia.ca.
He added that Bill S-4 could be improved by making it mandatory to report data breaches to the Privacy Commissioner, if not to the public – essentially resulting in a compromise between businesses keeping mum and full-out disclosure.
The next committee hearing for Bill S-4 is set for early February.