Privacy advocates have asked Parliament to enact legislation that would require organizations to report and notify their customers if their personal information has been breached.
Ottawa-based Canadian Internet Policy and Public Interest Clinic (CIPPIC) has released a white paper entitled, Approaches to Security Breach Notification, detailing gaps in the Canadian legal framework that may leave people vulnerable to identity theft and other fraud.
“It is our impression that many security breaches involving personal information are happening without being exposed to the public limelight because there is a big cost to companies in exposing this, (including) reputational [consequences],” said Philippa Lawson, executive director and general counsel for CIPPIC.
Among other benefits, mandatory breach notification ensures that individuals whose personal information is put at risk can take the necessary actions to protect themselves from possible identity theft or fraud.
While breach notification may be an “implicit requirement” in some cases under various statutes, including the Personal Information Protection and Electronic Documents Act (PIPEDA), the obligation needs to be made explicit, Lawson stressed. This would give organizations and service providers clear guidelines as to when and how to conduct breach notifications, she added. “Without a law requiring companies to report these breaches and to notify (affected) individuals…there is not as great an incentive for them to have strong security,” Lawson said.
The CIPPIC paper advocated for an amendment to PIPEDA to include mandatory requirement for information breach notification. PIPEDA is currently under review by the House of Commons standing committee on access to information, privacy and ethics.
Breach notification statutes are already enforced in many U.S. states, including California, New York and North Carolina. Companies doing business in the U.S. are mandated, in the event of an information breach, to notify customers living within a jurisdiction that has such a law.
Because Canada does not have an explicit rule for mandatory breach notification, organizations involved in a breach with customers both in the U.S. and Canada may only feel obligated to notify their American customers and not their Canadian clients, according to the CIPPIC white paper.
Mandatory breach notification legislation would provide clear standards for both organizations and customers that can aid in the event that a lawsuit ensues, according to Jason Young, a lawyer for Toronto-based Deeth Williams Wall LLP.
Young said the enactment of a breach notification law would increase the likelihood of lawsuits related to privacy and breach of personal information in Canada. And while there may be parties that will oppose such legislation, he believes many large enterprises that are “sophisticated about privacy protection” will support this move.
“These are global companies that are already dealing with those statutes in the U.S.…(and) I don’t think it’s going to be a huge shift for them to deal with it (in Canada),” Young said.
The Toronto lawyer added that the primary concern for many organizations is in how to undertake it without significantly disrupting the business.
At least one industry association, however, is rejecting any legislative solution to the issue of breach notification. The Information Technology Association of Canada (ITAC) is “doubtful of the benefits” of mandatory disclosure of any breach of personal information through legislation.
Instead, industry should engage in a discussion with privacy officials in government to discuss ways and means to address the issue of information breach, said ITAC chair Doug Cooper.
“It’s not a one-size-fits-all solution,” Cooper said.
The ITAC executive added that if a sweeping mandate on breach notification is enforced, it runs the risk of unnecessarily alerting the public of a breach that may or may not actually endanger people’s personal information.
The Canadian Chamber of Commerce (CCC) has not commented specifically on the proposal for breach notification legislation. It has, however, taken a position that no changes should be made to PIPEDA at this time.
“The structure of PIPEDA allows for an effective and workable balance between the interests of protecting an individual’s personal information and allowing for business to operate effectively. In addition, there is flexibility built into PIPEDA that is an important factor in allowing industry to efficiently respond to any privacy issues,” read a position paper submitted by the CCC to the federal privacy commissioner.