In order to encourage major corporations to put greater emphasis on data security, an Ottawa-based public policy organization is calling for the creation of a publicly-accessible electronic registry for corporate data breaches.
Responding to an Industry Canada request for public consultation on data security laws, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) this week recommended that mandatory reporting of data breaches to a public registry is the most effective way to persuade corporations to shore up their potential security risks.
“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, said. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”
Last year, Parliament recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach. Lawson said that while this is a good start, the government needs to go further and require mandatory public reporting of any potential data leaks.
“There’s two ways that you can create incentive for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”
Mike Haro, senior security analyst at U.K.-based security software provider Sophos Inc., agreed, and cited an example from last year’s data breach incident involving Framingham, Mass.-based retail chain TJX. In an ongoing lawsuit, TJX is accused of having over 90 million payment cards compromised and stolen in a hack of its computer systems.
“Even when you look at TJX, which now amounts to 90 million users that arguably had their credit card information stolen, the majority of the general public who would have been affected by this has probably never heard about it,” Haro said. “So putting some type of apparatus in place where it’s the responsibly of either a governmental organization or the actual company to reach out to everybody, through whatever means of communication, it’s a step in the right direction.”
According to Haro, Sophos research labs are tracking between five and six thousand newly infected Web sites per day – many of those being corporate Web sites or commercial Web sites. And with more people using the Web to make important transactions, he said, a public data breach registry may be in demand.