Canadian privacy law experts support a proposal that organizations be required to notify clients if their personal information has become vulnerable due to a security breach.
The proposal was initially made by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) earlier this week.
CIPPIC said the federal government should have “breach notification laws” similar to those in place in more than 30 American states.
“The absence of a clear requirement for notification in the case of security breaches is a glaring gap in our existing data protection law,” said Philippa Lawson, director of CIPPIC, a public advocacy group based at the University of Ottawa.
CIPPIC was among the groups that presented submissions when the Personal Information Protection and Electronic Documents Act (PIPEDA) was being drafted. “This proposal is extremely important, otherwise PIPEDA would have no teeth,” according to Tim Richardson, professor of e-commerce, marketing and international business at the Seneca College and the University of Toronto. “The question now is how will the law be enforced?”
Richardson wanted to know which agency would enforce the proposed law and how its enforcement would be handled.
A Toronto-based lawyer welcomed the proposal but noted one shortcoming.
“It hasn’t really addressed the issue of fines against erring organizations and compensation for individuals affected by a security breach,” said lawyer John Beardwood, an IT and privacy legal expert with law firm Fasken Martineau DuMoulin LLP, in Toronto.
Beardwood, a former chair of the Canadian Bar Association’s (CBA) national privacy law section, conceded “it’s very tough to determine how compensation should be handled,” and said its possible CIPPIC has set this aside for future study.
However, Beardwood said the “right to damages” is a very important issue.
Fines go to the government and not the victims, so advocates argue a certain amount of financial compensation should be awarded to victims, he said. “You will have an individual up against a big company. Court battles could be a costly proposition for most people, which is why the right to damages should be established.”
Beardwood, however, said the CIPPIC proposal appears to be fair and not onerous to any particular party. “The proposal requires key tests to be satisfied for a company to notify its client that personal information was breached.”
These tests are:
• The information was not encrypted
• The information was encrypted, but the company suspects the possibility of a breach
• The information is sensitive in nature
“The first two consider the likelihood of unauthorized access and the last asks the question ‘is the information vital?’,” Beardwood said.
These are questions companies are likely to ask their lawyers anyway in case of a security breach. But Beardwood says the CIPPIC proposal will strengthen consumer protection.
It is most likely that people would never know if identity thieves have acquired their personal information from businesses they deal with said Lawson. “Without the prospect of costly notification and reputation loss, there is no incentive for these organizations to beef up their security,” she added.
The CIPPIC proposal noted that U.S. states have laws requiring organizations to notify affected individuals when a security breach exposes their personal information to unauthorized access. In contrast, neither does the PIPEDA, nor corresponding provincial statutes include such explicit breach notification requirements.
To date, CIPPIC said, there is no Canadian case law relating to security breaches. Its white paper, however, pointed to an ongoing class action suit against the Canadian Imperial Bank of Commerce (CIBC), which will require the court to address the issue. Beardwood said this case stems from an allegation that CIBC released its clients’ personal information to a junkyard based in the U.S. The junk yard operators allegedly had warned the bank that the practice was illegal and asked CIBC to stop.
The Canadian bank continued sending out client information until the junkyard sued CIBC, said Beardwood. In 2005, several Canadian individuals subsequently filed a class suit against the bank for allegedly breaking its “duty of care” that requires CIBC to treat sensitive client information in confidence.
CIPPIC said a recent poll by Harris Interactive Inc. of Rochester, New York indicates that 19 per cent of the estimated 49 million Americans who were notified of unauthorized access to their personal information believe something harmful happened to them as a result of the breach.
The damages included merchandize charged to the victim’s name (43 per cent), fraud which cost victims money (35 per cent) money stolen from accounts (18 per cent), credit cards taken out using the victim’s name (11 per cent) and identity theft to gain benefits and services (eight per cent).
Total losses to victims and businesses attributed to identity theft were estimated by the U.S. Federal Trade Commission to be around US$56.6 billion in 2005.