In the coming months, Industry Minister David Emerson will lead the federal government on a review of Canada's national privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Critics are likely to call for tougher enforcement measures, better reporting of decisions, and an end to the Federal Privacy Commissioner's policy that shields organizations that are the target of successful complaints.
The law now on the books has supporters. They will say it has achieved its goals by providing Canadians with a mechanism to resolve privacy disputes while encouraging businesses to adopt privacy-friendly practices. The current law's backers will point to the relatively small number of cases — there have been fewer than 300 findings from the Privacy Commissioner over the past four years — as evidence that the law is working.
While citing caseload numbers may seem logical, the reality is that the number of complaints provides little insight into whether Canadians' privacy is indeed better protected. More often than not, privacy breaches, including instances of misused personal information or inadequately safeguarded information, do not come to light. As last year's CIBC privacy breach illustrates, serious breaches so rarely become public that when they do, the stories tend to generate front-page headlines and national interest.
Recognizing that companies have an incentive to keep privacy and security breaches private, the State of California has adopted a law that requires organizations to publicly disclose privacy breaches to their customers. Although opposed by business, the law, known as SB1386, has proven wildly successful since its enactment just over 18 months ago.
The law requires companies and agencies that do business in the state, or possess personal information of state residents, to report breaches in the security of personal information in their possession. Companies must act quickly, notifying customers in writing, electronically, or by prominently posting the information on their website.
The law's impact on business practice has been dramatic. The State's Office of Privacy Protection recently surveyed California companies and found that 76 percent of surveyed companies changed their communications polices as a result of the new law; about one third of the surveyed companies changed security procedures; and almost half changed the way they used social security numbers (the U.S. equivalent of Canadian social insurance numbers).
In fact, a provision in the law that excludes encrypted data has reportedly persuaded many organizations to adopt new encryption techniques to better protect their customer's personal information.
The changes have no doubt been motivated by the fact that several organizations have been forced to disclose security breaches to their customers. As many as 145,00 blood donors in the Los Angeles area were notified that their personal information may have been compromised when a laptop was stolen, while numerous banks and credit unions have also reported privacy breaches.
Universities have been particularly affected by the law. The University of California at Berkeley reported that information on 600,000 people was compromised by a hacker, while the University of California San Diego was forced to notify 380,000 students, alumni, employees, and applicants for admission about a similar incident.
These cases prove what many analysts have long suspected — that many privacy breaches never become public as companies prefer to quietly resolve the issue without raising concern among their customers.
Just last week the Alberta Privacy Commissioner issued scathing findings against three companies for failing to adequately protect their customers' personal information.
The issue only came to light after Edmonton police discovered a motel room filled with personal information including bank account information, social insurance numbers, credit card data, and customer signatures.
The time has come to lift the veil of secrecy surrounding privacy and security breaches in Canada. For every case that comes to light, there is little doubt that there are many more that remain hidden from public view.
From a privacy compliance perspective, experience illustrates that mandatory reporting requirements provide an effective motivation for organizations to take their privacy and security obligations seriously. With identity theft at an all-time high, they also ensure that the public is kept informed about the security of their personal information and better positioned to monitor their credit reports and credit card activity for suspicious activity.
Former IBM CEO Louis Gerstner once noted that "people don't do what you expect, they do what you inspect." For Canada's privacy legislation to meet expectations, we need more inspection and better disclosure practices. A mandatory self-reporting system on privacy and security breaches would be a step in the right direction.