Columns Archive

Privacy Breaches Expose Flaws in Law

Appeared in the Toronto Star on January 22, 2007 as Privacy Breaches Expose Flaws in Law

Privacy took centre stage in Canada late last week as TJX Cos., the parent company of retail giants Winners and HomeSense, disclosed that as many as two million Canadian credit cards may have been accessed by computer hackers.  Less than 24 hours later, the CIBC revealed that account information for 470,000 customers had been lost when a computer file went missing while in transit between company offices.  

These two incidents, which follow a steady stream of similar security breaches in the United States, highlight the fragility of sensitive, personal information that is entrusted to Canadian businesses as well as the inadequacy of current Canadian privacy legislation.  Business groups have cautioned against privacy law reforms, yet as the risk of identity theft grows, the calls for change are likely to become more vocal.  

Over the past two years, dozens of U.S. states have enacted security breach disclosure legislation.  These laws require organizations that suffer a security breach that places personal information at risk to promptly disclose that fact to the affected individuals.  By mandating notification, the laws ensure that individuals are better able to guard against identity theft by closely monitoring their credit card bills, bank accounts, and credit reports for any unusual activity.

From a business perspective, the laws create a strong incentive to protect personal information since the notification process is both expensive and embarrassing.  Moreover, the laws have persuaded some organizations to rethink the amount of personal information they retain, since mounting data collection and retention increases the damaging consequences of a security breach.

As a result of these laws, there have been dozens of notifications from retailers (the TJX Cos. disclosure may well have been in response to a U.S. legal requirement), data aggregators, and educational institutions.  Given the overlapping state notification laws, many U.S. privacy observers expect the U.S. Congress to soon enact a national notification requirement.

While the U.S. pushes forward with security breach disclosure legislation, Canadian business has argued strongly against similar reforms.  The Information Technology Association of Canada, which features representatives from companies such as BCE, Telus, Rogers, Microsoft, Nortel, and Research in Motion on its board of directors, warned against mandatory notification legislation in an appearance before a parliamentary committee last month.

ITAC representatives, who expressed support for a legal framework under which the Privacy Commissioner would have no order making power and would not identify the companies subject to privacy complaints, claimed that "many organizations currently contact the Office of the Privacy Commissioner to get guidance on how to deal with security breaches" and that "mandatory notification requirements would result in notification fatigue for customers."  

The ITAC position implicitly acknowledges that security breaches that place Canadians' personal information at risk are a regular occurrence, yet the organization rejects any requirement for business to disclose the breaches to their customers or be identified in the event that they are subject to a complaint over the incident.

Appearing before the same committee, Privacy Commissioner of Canada Jennifer Stoddart admitted that Canadian law "does not require organizations to take any specific actions in the event of an unauthorized disclosure." Moreover, Stoddart added that “breach notification laws may force organizations to take security more seriously. They may provide individuals with an early warning system to make them better prepared to deal with the risk of identity theft and other harms that might result from a privacy breach."

What the Commissioner neglected to say is that the current complaints-driven privacy law framework is ill-equipped to adequately address security breaches.  Individuals must be aware of an alleged privacy violation in order to file a complaint. In the case of a security breach, unless the organization notifies their customers, individuals typically only become aware of the situation once their credit cards become overdrawn or their bank account is cleaned out. Indeed, Phonebusters, a Canadian consumer fraud group, reports that it receives thousands of complaints from victims of identity theft each year with millions of dollars placed at risk.

Moreover, the Commissioner's limited powers – she has only the power to issue non-binding findings – ensures that security breach investigations (as the Commissioner promised last week once the CIBC breach came to light) can yield little more than recommendations for change.  There is no statutory power to require organizations to alter their privacy and security practices.

With a parliamentary committee in the midst of considering reforms to Canada's privacy law, a mandatory security breach notification requirement should move to the very top of the priority list.  As millions of Canadians who shop at Winners or invest with CIBC worry about whether their personal information has been misused, it is time to remove the prospect that Canadians may be kept in the dark as their sensitive, personal information falls into the hands of identity thieves.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

8 Comments

  1. Neil Schwartzman says:

    Chair, CAUCE Canada
    Great piece Michael. Always sad to see how little regard such companies as BCE, Telus, Rogers, Microsoft, Nortel, and Research in Motion have for their customers when push come to shove. ‘Consumer fatigue’. Gee, maybe they are looking out for our bests interests after all.

  2. Privacy
    This is interesting, I regularly read a privacy blog GlobalPOV. The real question I have is can law really keep up with technology with technology. I read a book by the same guy Privacy Lost, and the sense that I’m getting from him and other authors on the subject is that technology is moving too quickly for legislators who have no expertise in the matter to keep up. What say you, sir?

  3. Sorry it was [ link ], I must have mistyped the html.

  4. Security breach
    I think it’s obvious we need a Security Breach Disclosure law passed in Canada, so that companies are forced to disclose breaches when they occur. TJX the card processing company for Winners/HomeSense clearly waited till after Xmas to announce the breach, so that sales were not affected. Companies should not be allowed to withhold the critical information that could result in fruad or identity theft. Notification should include educating the public about the level of risk asociated with the type of breach that occured, and what precautions if any the public should take. One can only speculate as to how many security breaches have occured that we don’t know of or even worse how many companies don’t know they’ve been hacked?

  5. disturbing breech says:

    What about the Breech in BC of thousands of Social Assistance recipents very personal medical information as well as SIN numbers, addresses and names that was leaked when several people bought auctioned off computers from Telus and the provincial govt. Some honest citizen turned in their computer but several other computers are missing and all of this information could’ve been stolen and used for fraudulent purposes. Did the provincial govt launch an investigation or privately/publicly apologise to ANY of the people affected by this breech? Of course not because they are low income people without a voice. I find this disturbing and would like to launch a complaint but I’m not sure how to go about it. This only happened recently, in the last six months. Anyone have any ideas on how to go about submitting a complaint?

  6. Disturbing Breaches
    Every weeknight during the CTV 6pm News, Chris Olsen investigates anything that is important to the public, although its somewhat related to consumer products. I would also check the Better Business Bureau(www.bbb.org) or Phone busters (www.phonebusters.com) websites for launching complaints or or perhaps the related links added below this column.

  7. Roger Philmore says:

    Hmmm
    Poo on my face

  8. Michael Dames says:

    Thank you for posting. ūüôā
    Truly amazing!I genuinely enjoyed reading it,I was able to find what I am looking for in this site. Thanks for the post and for the comments. I hope you keep on sharing this fun and interesting post. You can also try to check this http://inflatablepooltoys.net/ for you and your kids.