Privacy experts push for breach law

CIBC discloses loss of data on 470,000 clients

Privacy advocates have asked Parliament to enact legislation that will require organizations to report and notify their customers if protection of their personal information has been breached.

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) asserts the federal government should have breach notification laws similar to those in place in more than 30 American states. A white paper, issued early January and entitled “Approaches to Security Breach Notification,” outlines gaps in the Canadian legal framework that may expose individuals and organizations to identity theft and other fraud.

“The absence of a clear requirement for notification in the case of security breaches is a glaring gap in our existing data protection law (PIPEDA),” says Philippa Lawson, director of CIPPIC, a public advocacy group based at the University of Ottawa.

CIPPIC was among the groups that presented submissions when the Personal Information Protection and Electronic Documents Act (PIPEDA) was being drafted.

The push by CIPPIC is timely. The Canadian Imperial Bank of Commerce (CIBC) announced yesterday that its mutual fund subsidiary – Talvest Mutual Funds – had lost a backup drive containing information on 470,000 clients.

The drive, lost in transit from the Montreal office of Talvest, may have contained sensitive personal information, such as names, addresses, signatures, dates of birth, social insurance numbers, bank account numbers and beneficiary information, according to a statement.

The loss – and the massive potential security breach it may have caused – is being investigated by Canada’s privacy commissioner Jennifer Stoddart.

While breach notification may be an implicit requirement in some cases under various federal and provincial statutes, including PIPEDA, the obligation needs to be made explicit, says CIPPIC’s Lawson.

Mandatory obligation would give organizations and service providers a set of clear guidelines as to when and how to conduct breach notifications, she added.

The CIPPIC paper pushes for an amendment to PIPEDA to ensure mandatory breach notification. PIPEDA is currently under review by the House of Commons Standing Committee on Access to Information, Privacy and Ethics.

“This proposal is extremely important, otherwise PIPEDA would have no teeth,” says Tim Richardson, professor of e-commerce, marketing and international business at Seneca College and University of Toronto. “The question now is, how will the law be enforced?

“Richardson points out that it’s yet unclear which agency would enforce the proposed law and how its enforcement would be handled.

A Toronto-based lawyer welcomed the proposal, but noted at least one shortcoming. “It hasn’t really addressed the issue of fines against erring organizations and compensation for individuals affected by a security breach,” says John Beardwood, an IT and privacy expert with law firm Fasken Martineau DuMoulin LLP.

Beardwood, a former chair of the Canadian Bar Association’s national privacy law section, concedes it would be very tough to determine how compensation should be handled, adding it’s possible CIPPIC has set this aside for future study.

However, he stresses that the “right to damages” is a crucial issue. Fines go to the government and not the victims; and advocates argue that a certain amount of financial compensation should be awarded to victims, he says.

“You will have an individual up against a big company. Court battles could be a costly proposition for most people, which is why the right to damages should be established.”

Beardwood says the CIPPIC proposal appears to be fair and not onerous to any one particular party. “The proposal requires key tests to be satisfied for a company to notify its client that personal information was breached.”

These tests are:

– The information was not encrypted
– The information was encrypted, but the company suspects the possibility of a breach
– The information is sensitive in nature

“The first two consider the likelihood of unauthorized access and the last asks the question, is the information vital?” Beardwood explains.

These are questions that companies are likely to ask their lawyers anyway, in case of a security breach. But Beardwood says the CIPPIC proposal would strengthen consumer protection.

It’s likely most would never know if identity thieves had acquired their personal information from businesses they had previously dealt with, adds CIPPIC director Lawson.

“Without the prospect of costly notification and reputation loss, there is no incentive for these organizations to beef up their security,” she says.

Jason Young, a lawyer for Toronto-based Deeth Williams Wall LLP, believes many large enterprises would support stronger measures.

“Most large organizations that are sophisticated about privacy protection are not opposed to mandatory breach notification,” says Young. “These are global companies that are already dealing with those statutes in the U.S….I don’t think it’s going to be a huge shift for them to deal with it [in Canada].”

At least one industry association, however, is rejecting any legislative solution to the issue of breach notification. The Information Technology Association of Canada (ITAC) is doubtful of the benefits of mandatory disclosure of any breach of personal information through legislation.

Instead, industry should engage in a discussion with privacy officials in government to discuss ways and means to address the issue of information breach, says ITAC chair Doug Cooper. “It’s not a ‘one size fits all’ solution,” he adds.

The ITAC executive added that if a sweeping mandate on breach notification were enforced, it would run the risk of unnecessarily alerting the public of a breach that may or may not actually endanger an individual’s personal information.

– With files from Nestor Arellano, Mari-Len De Guzman and Joaquim Menezes