Login, change your address, subscribe to new or manage current magazines or e-newsletter subscriptions
IT World Events
Site Map - Affiliates
ComputerWorldNetwork WorldCIO CanadaCIO Canada Governments' ReviewJobUniverse Canada
Enter your  QUICKLINK number to go directly to that article.
Advanced Search
Knowledge Centres
Content Types
Featured White Papers
Unlock the potential of data with the right data warehouse solutionUnlock the potential of data with the right data warehouse solution
Provided by: IBM
read more
IBM Multiform Master Data Management: The evolution of MDM applicationsIBM Multiform Master Data Management: The evolution of MDM applications
Provided by: IBM
read more
Closing the data privacy gap: Protecting sensitive data in non-production environmentsClosing the data privacy gap: Protecting sensitive data in non-production environments
Provided by: IBM
read more
Yuk it Up
Green IT Playbook
Featured IT Quiz
IT Quiz: IT World Canada and IDC Canada want to know how your Green IT strategy is shaping up. Take this quiz to see how your company stacks up against other IT World Canada readers.
Featured White Papers
This white paper details Intel's current and future energy-saving initiatives to reduce costs and support business goals. Learn how Intel IT is extending its efforts to be a role model enterprise IT organization by supporting the Climate Savers Computing Initiative, which aims to drive a 50 percent reduction in computer-related CO2 emissions worldwide. No registration required.
Sign-Up for
Security
eNewsletter Delivered Weekly
Click here
Page 1 of 1

Ottawa urged to draft data breach notification law

By: Rafael Ruffolo - ComputerWorld Canada  (18 Jan 2008)

In order to encourage major corporations to put greater emphasis on data security, an Ottawa-based public policy organization is calling for the creation of a publicly-accessible electronic registry for corporate data breaches.

Responding to an Industry Canada request for public consultation on data security laws, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) this week recommended that mandatory reporting of data breaches to a public registry is the most effective way to persuade corporations to shore up their potential security risks.

“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, said. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”

Last year, Parliament recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach. Lawson said that while this is a good start, the government needs to go further and require mandatory public reporting of any potential data leaks.

“There’s two ways that you can create incentive for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”

Mike Haro, senior security analyst at U.K.-based security software provider Sophos Inc., agreed, and cited an example from last year’s data breach incident involving Framingham, Mass.-based retail chain TJX. In an ongoing lawsuit, TJX is accused of having over 90 million payment cards compromised and stolen in a hack of its computer systems.

“Even when you look at TJX, which now amounts to 90 million users that arguably had their credit card information stolen, the majority of the general public who would have been affected by this has probably never heard about it,” Haro said. “So putting some type of apparatus in place where it’s the responsibly of either a governmental organization or the actual company to reach out to everybody, through whatever means of communication, it’s a step in the right direction.”

According to Haro, Sophos research labs are tracking between five and six thousand newly infected Web sites per day – many of those being corporate Web sites or commercial Web sites. And with more people using the Web to make important transactions, he said, a public data breach registry may be in demand.

“These are sites that are legitimate, so unassuming users will get infected with what’s on site,” Haro said. “So there’s definitely a high prevalence that data breaches are going to consistently happen. And while maybe not always on the scale of a TJX, they are occurring more frequently.” And with more cyber crime cropping up every day, CIPPIC also recommended the need for future law reform to address what they called “PIPEDA’s woefully inadequate redress and enforcement regime.” Lawson referred to a 2006 CIPPIC study that showed widespread non-compliance with data protection legislation by Canadian companies.

“The most serious deficiency with PIPEDA is the lack of enforcement,” Lawson said. “There’s a rule that says companies shouldn’t be collecting more than necessary, but many of them are and nobody is calling them to account. The act needs to be amended to provide more effective recourse for individuals and others to hold companies accountable.”

David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California which mandates organizations to reveal to customers that personal data has been compromised.

“Organizations in this country don't fear the repercussions of PIPEDA,” Senf said. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”

He said this includes training employees, properly implementing the right technologies and having ongoing management leadership.

Page 1 of 1
Send to a Friend  Rate This Page  Print This PageAdd a new comment
Bookmark this article on:
del.icio.us| Digg it| Furl| Google| Technorati| StumbleIt| Yahoo!

Have something to say about this article? Add a new comment

If you find a comment inappropriate, You can notify the moderator by clicking the Report an innapropriate comment icon.
Data Breach Notification LawReply to this commentReport an innapropriate comment
What will happen when the corporate himself is the cause for the data breach? (Which I've seen in 80% of the case, these people are total idiot that have no clue what technology is, only that if fills up their bank account) They are really limited people!
Written by: Mario Perazzelli, from Montreal
ADD A COMMENT
Name:*Your email address will not appear online and will be used only in the event that the editor wishes to contact you personally for additional comment.
City:
Email:
Title:*
Comment:*
* required fields



Related Content
Articles

Book Reviews

Special Advertising Partners
IDC Case Study: Identity And Access Management Buying Criteria.
IDC analyses IAM buying criteria and deployment at Coppin State University. Coppin State replaces "first generation" IAM solution to obtain benefits needed for today's agile enterprise: ease of integration, rapid deployment, simplified compliance, flexibility.
White Papers
Closing the data privacy gap: Protecting sensitive data in non-production environments
How can IT organizations protect sensitive data, including employee and customer information, as well as corporate confidential data and intellectual property? Industry analysts recommend "de-identifying" or masking data as a best practice for protecting privacy. This white paper explains the importance of closing the data privacy gap in non-production environments, and provides guidance on effective data masking. Complimentary with registration. Sponsored by IBM.
Unlock the potential of data with the right data warehouse solution
Once you've made the decision to implement a new data warehouse, you want to make sure you choose the one that's right for your organization. This buyer's guide provides checklists for starting points that you can use when evaluating vendors and their products. Complimentary with registration. Sponsored by IBM.
Prepare for a more efficient SAP implementation: Take data issues off the critical path
This white paper outlines how the Preliminary Data Assessment Appliance (PDAA) from IBM can help address the challenges of integrating data from different operational applications across the enterprise to an SAP platform. Complimentary with registration. Sponsored by IBM.
Copyright InformationPrivacy Policy Site MapAbout UsMedia CentreReprint ServicesMobileFeedbackContact Us
PC World CanadaIntergovworld.comIT Vendors DirectoryBio-IT WorldCIO TitlesCMOComputerWorld TitlesCSO
GlossaryDarwinGameProInfoworldGames.netITJobUniverseJavaWorldMacCentral
MacWorldNetwork World TitlesPCWorldPlaylistIDG WorldWide Network
©2008 ITworldcanada.com All rights reserved.