In order to encourage major corporations to put greater emphasis on data security, an Ottawa-based public policy organization is calling for the creation of a publicly-accessible electronic registry for corporate data breaches.
Responding to an Industry Canada request for public consultation on data security laws, the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) this week recommended that mandatory reporting of data breaches to a public registry is the most effective way to persuade corporations to shore up their potential security risks.
“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, said. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”
Last year, Parliament recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach. Lawson said that while this is a good start, the government needs to go further and require mandatory public reporting of any potential data leaks.
“There’s two ways that you can create incentive for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”
Mike Haro, senior security analyst at U.K.-based security software provider Sophos Inc., agreed, and cited an example from last year’s data breach incident involving Framingham, Mass.-based retail chain TJX. In an ongoing lawsuit, TJX is accused of having over 90 million payment cards compromised and stolen in a hack of its computer systems.
“Even when you look at TJX, which now amounts to 90 million users that arguably had their credit card information stolen, the majority of the general public who would have been affected by this has probably never heard about it,” Haro said. “So putting some type of apparatus in place where it’s the responsibly of either a governmental organization or the actual company to reach out to everybody, through whatever means of communication, it’s a step in the right direction.”
According to Haro, Sophos research labs are tracking between five and six thousand newly infected Web sites per day – many of those being corporate Web sites or commercial Web sites. And with more people using the Web to make important transactions, he said, a public data breach registry may be in demand.
“These are sites that are legitimate, so unassuming users will get infected with what’s on site,” Haro said. “So there’s definitely a high prevalence that data breaches are going to consistently happen. And while maybe not always on the scale of a TJX, they are occurring more frequently.” And with more cyber crime cropping up every day, CIPPIC also recommended the need for future law reform to address what they called “PIPEDA’s woefully inadequate redress and enforcement regime.” Lawson referred to a 2006 CIPPIC study that showed widespread non-compliance with data protection legislation by Canadian companies.
“The most serious deficiency with PIPEDA is the lack of enforcement,” Lawson said. “There’s a rule that says companies shouldn’t be collecting more than necessary, but many of them are and nobody is calling them to account. The act needs to be amended to provide more effective recourse for individuals and others to hold companies accountable.”
David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California which mandates organizations to reveal to customers that personal data has been compromised.
“Organizations in this country don't fear the repercussions of PIPEDA,” Senf said. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”
He said this includes training employees, properly implementing the right technologies and having ongoing management leadership.