At one time, public disclosures of privacy and security breaches were a rare occurrence. Companies were careful to keep such breaches quiet, content to compensate breach victims rather than face the inevitable negative publicity.
Over the past 12 months, there has been a staggering number of reported privacy and security breaches — with some experts estimating that more than 50 million people have been put at risk since the start of this year alone.
The number of breaches may not have changed — few doubt that privacy breaches have been occurring for years. But news of yet another privacy or security breach — whether it is the 40 million credit card holders whose personal information was recently placed at risk or the several dozen CIBC banking customers whose data was inadvertently faxed to a West Virginia junkyard — has become a staple of the daily news cycle.
The change in practice is due in large measure to the State of California’s SB1386, a two-year old law, which mandates that companies and agencies that do business in the state or possess personal information of state residents must report breaches in the security of personal information in their possession. Companies are required to act quickly, notifying customers in writing, electronically, or by prominently posting the information on their website.
The California law has spawned nearly a dozen imitators throughout the United States as other states seek to provide their residents with similar protections. Moreover, pressure has begun to build on the U.S. Congress to adopt a national reporting law to provide all residents with equal treatment and to ensure that all companies face a single nationwide standard.
Unfortunately, no similar law exists in Canada. In fact, until Ontario Privacy Commissioner Ann Cavoukian publicly called for the adoption of such a law late last month, no Canadian privacy commissioner at either the federal or the provincial level had used their position to pressure for such reforms.
With Industry Minister David Emerson leading a review of Canada’s national privacy law next year, however, it appears likely that a reporting requirement will be a major topic of discussion.
Privacy advocates are likely to support a reporting requirement, though many larger Canadian companies, fearful of the negative publicity associated with such disclosures, may voice opposition.
This opposition will centre on three issues. First, opponents are likely to argue that reporting requirements generate an exaggerated sense of risk among the public, since the number of people potentially affected by a privacy breach is invariably far higher than the actual number of people who are in reality affected. For example, while 40 million card holders were potentially victimized by the recent security breach, the number of card holders who actually had their information misused is likely quite small.
The problem is that the number of people actually affected by a breach is rarely known immediately since identity thieves may use the information for weeks or months before anyone notices. Mandatory disclosure better ensures that consumers will be alert to discrepancies in their credit activity and can then take additional steps to mitigate potential damage should it arise.
Second, opponents are likely to argue that, over time, the public will ignore regular security breach disclosures as the novelty associated with such warnings disappears. While there may indeed be some members of the public who tune out security breach disclosures, I suspect that most will take them seriously for the foreseeable future.
Moreover, those who become resigned to the inevitability of security breaches are likely to exercise greater caution in disclosing their personal information as they consider the risk associated with providing sensitive personal information to dozens of organizations. If consumers in large numbers refuse to disclose their personal information, organizations will be forced to implement stronger protections to assuage consumer fears.
Third, some opponents may argue that disclosures are unnecessary since current privacy legislation features an accountability principle that places responsibility for the personal information that is collected, used, and disclosed, on the organization that first collects the data.
Leaving aside the fact that breaching that law carries virtually no adverse consequences for Canadian organizations (the Privacy Commissioner of Canada is unable to levy fines or penalties and has even been reluctant to name the organizations facing repeated complaints), reliance on the accountability principle would carry far more weight if companies committed to disclosing breaches to their customers within their privacy policies, a step that few, if any, Canadian companies have taken.
The Canadian business and privacy communities point with pride to Canada’s private sector privacy law, rarely hesitating to remind observers that the U.S. has yet to enact similar, broadly applicable privacy regulation.
As our southern neighbours march toward a national privacy and security breach disclosure law, Canada may find itself playing catch up on the defining privacy issue of the year.