Congratulations to Ontario Privacy Commissioner Ann Cavoukian for being the first Canadian privacy commissioner to speak out for what should be self-evident: Canada needs a law that requires organizations to report privacy or security breaches to their customers.
California has provided the model for this kind of legislation with many U.S. states following suit.
I wrote about this earlier this year and plan to revisit the issue shortly. Simply put, there is no more effective tool to encourage compliance than this form of law. The recent spate of security breaches does not mean that the breaches are new. Rather, the reports are new and the response from legislators, companies, and the public provides ample evidence that this legislation belongs in every jurisdiction’s privacy toolkit.
Automatic breach notification has the potential to be counter-productive. As California and other states show, when individuals are over-indundated with notices for every single slight of breach, it tends to burden the individual with too much mail and increase the chances of going straight to the waste basket. Is this good for privacy in Canada? Hardly.
Discretionary breach reporting is still preferable since it allows the organization to use a — hopefully — concscientious approach in the decision leading up to when to issue notification or not.
That said, your blog is the absolute best resource on privacy available in Canada. Thank you for all your hard work and clear committment to the principles of good privacy protection. It is appreciated.