Login, change your address, subscribe to new or manage current magazines or e-newsletter subscriptions
IT World Events
Site Map - Affiliates
Computerworld Publication PageNetworkWorld Publication PageCIO Canada Publication PageITJobUniverse.ca - The Information, Communication and Technology (ICT) Job Board
Enter your  QUICKLINK number to go directly to that article.
Advanced Search
Knowledge Centres
Content Types
Featured White Papers
Gartner Research Note "Boost SharePoint Performance with an Application Delivery Network"Gartner Research Note "Boost SharePoint Performance with an Application Delivery Network"
Provided by: Citrix
read more
From fear to value: CIO strategies for propelling business through the economic crisisFrom fear to value: CIO strategies for propelling business through the economic crisis
Provided by: IBM
read more
Reaping the rewards of your service-oriented architecture infrastructureReaping the rewards of your service-oriented architecture infrastructure
Provided by: IBM
read more
Yuk it Up
Featured White Papers
Download the Network Barometer Report, which aggregates findings from secure network infrastructure assessments conducted for more than 150 organisations around the world. It provides some surprising stats on the state of network (un)readiness prevalent today; the reasons why organisations are failing at remediating known vulnerabilities; recommendations on assessing your own infrastructure, and on ways to improve your state of readiness to support the business; and more.
Early-generation server load-balancing technology has proven to be an invaluable asset, especially for organizations hosting widely utilized Web applications. But business requirements evolve, as do the processes and technologies used to fulfill them. The many changes and trends that have taken hold since SLBs were first introduced expose the need for enterprises to step up from a simple load-balancing solution to a more comprehensive application delivery solution . This paper is intended to serve as a guide for organizations looking to replace their early-generation SLBs, providing details on the top eight criteria to use during an evaluation process.
Featured Spotlight
Keep up on who's hiring, who's downsizing and how the government is helping. News, job opportunities, recruiters and employment lawyers are all available.
Sign-Up for
Security
eNewsletter Delivered Weekly
Click here
Page 1 of 1

Digg it Twitter

Ottawa urged to draft data breach notification law

By: Rafael Ruffolo - ComputerWorld Canada  (18 Jan 2008)

In order to encourage major corporations to put greater emphasis on data security, an Ottawa-based public policy organization is calling for the creation of a publicly-accessible electronic registry for corporate data breaches.

Responding to an Industry Canada request for public consultation on data security laws, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) this week recommended that mandatory reporting of data breaches to a public registry is the most effective way to persuade corporations to shore up their potential security risks.

“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, said. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”

Last year, Parliament recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach. Lawson said that while this is a good start, the government needs to go further and require mandatory public reporting of any potential data leaks.

“There’s two ways that you can create incentive for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”

Mike Haro, senior security analyst at U.K.-based security software provider Sophos Inc., agreed, and cited an example from last year’s data breach incident involving Framingham, Mass.-based retail chain TJX. In an ongoing lawsuit, TJX is accused of having over 90 million payment cards compromised and stolen in a hack of its computer systems.

“Even when you look at TJX, which now amounts to 90 million users that arguably had their credit card information stolen, the majority of the general public who would have been affected by this has probably never heard about it,” Haro said. “So putting some type of apparatus in place where it’s the responsibly of either a governmental organization or the actual company to reach out to everybody, through whatever means of communication, it’s a step in the right direction.”

According to Haro, Sophos research labs are tracking between five and six thousand newly infected Web sites per day – many of those being corporate Web sites or commercial Web sites. And with more people using the Web to make important transactions, he said, a public data breach registry may be in demand.

“These are sites that are legitimate, so unassuming users will get infected with what’s on site,” Haro said. “So there’s definitely a high prevalence that data breaches are going to consistently happen. And while maybe not always on the scale of a TJX, they are occurring more frequently.” And with more cyber crime cropping up every day, CIPPIC also recommended the need for future law reform to address what they called “PIPEDA’s woefully inadequate redress and enforcement regime.” Lawson referred to a 2006 CIPPIC study that showed widespread non-compliance with data protection legislation by Canadian companies.

“The most serious deficiency with PIPEDA is the lack of enforcement,” Lawson said. “There’s a rule that says companies shouldn’t be collecting more than necessary, but many of them are and nobody is calling them to account. The act needs to be amended to provide more effective recourse for individuals and others to hold companies accountable.”

David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California which mandates organizations to reveal to customers that personal data has been compromised.

“Organizations in this country don't fear the repercussions of PIPEDA,” Senf said. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”

He said this includes training employees, properly implementing the right technologies and having ongoing management leadership.

Page 1 of 1
Send to a Friend  Rate This Page  Print This PageAdd a new comment
Bookmark this article on:
del.icio.us| Digg it| Furl| Google| Technorati| StumbleIt| Yahoo!

Have something to say about this article? Add a new comment

If you find a comment inappropriate, You can notify the moderator by clicking the Report an innapropriate comment icon.
Data Breach Notification LawReply to this commentReport an innapropriate comment
What will happen when the corporate himself is the cause for the data breach? (Which I've seen in 80% of the case, these people are total idiot that have no clue what technology is, only that if fills up their bank account) They are really limited people!
Written by: Mario Perazzelli, from Montreal
ADD A COMMENT
Name:*Your email address will not appear online and will be used only in the event that the editor wishes to contact you personally for additional comment.
City:
Email:
Title:*
Comment:*
* required fields



Related Content
Articles

Book Reviews

White Papers
Improving business through smart energy and environment policy
Businesses and public entities today face increasing pressure to develop policies that are both good for the planet and good for business. A framework developed by IBM offers businesses and other organizations a comprehensive approach to energy and environmental issues. The framework helps identify and prioritize environmental efforts by breaking down problems and opportunities into seven distinct business areas, which can then be segmented into manageable projects.
Copyright InformationPrivacy Policy Site MapAbout UsMedia CentreReprint ServicesMobileFeedbackContact Us
ComputerWorld Canada | NetworkWorld Canada | CIO Canada | IT Business | CDN | Direction Informatique | PCWorld Canada | Macworld Canada | IT Job Universe | my IT Vendor
©2009 ITworldcanada.com All rights reserved.