My weekly Law Bytes column (Toronto Star version, homepage version) focuses on the need for Canadian privacy reform in light of last week's security breaches involving CIBC and retailer giant Winners. I note that these two incidents highlight the fragility of sensitive, personal information that is entrusted to Canadian businesses as well as the inadequacy of current Canadian privacy legislation. Business groups have cautioned against privacy law reforms, yet as the risk of identity theft grows, the calls for change are likely to become more vocal.
While the U.S. pushes forward with security breach disclosure legislation, Canadian business has argued strongly against similar reforms. The Information Technology Association of Canada, which features representatives from companies such as BCE, Telus, Rogers, Microsoft, Nortel, and Research in Motion on its board of directors, warned against mandatory notification legislation in an appearance before a parliamentary committee last month.
ITAC representatives, who expressed support for a legal framework under which the Privacy Commissioner would have no order making power and would not identify the companies subject to privacy complaints, claimed that "many organizations currently contact the Office of the Privacy Commissioner to get guidance on how to deal with security breaches" and that "mandatory notification requirements would result in notification fatigue for customers."
The ITAC position implicitly acknowledges that security breaches that place Canadians' personal information at risk are a regular occurrence, yet the organization rejects any requirement for business to disclose the breaches to their customers or be identified in the event that they are subject to a complaint over the incident.
Appearing before the same committee, Privacy Commissioner of Canada Jennifer Stoddart admitted that Canadian law "does not require organizations to take any specific actions in the event of an unauthorized disclosure." Moreover, Stoddart added that "breach notification laws may force organizations to take security more seriously. They may provide individuals with an early warning system to make them better prepared to deal with the risk of identity theft and other harms that might result from a privacy breach."
What the Commissioner neglected to say is that the current complaints-driven privacy law framework is ill-equipped to adequately address security breaches. Individuals must be aware of an alleged privacy violation in order to file a complaint. In the case of a security breach, unless the organization notifies their customers, individuals typically only become aware of the situation once their credit cards become overdrawn or their bank account is cleaned out. Indeed, Phonebusters, a Canadian consumer fraud group, reports that it receives thousands of complaints from victims of identity theft each year with millions of dollars placed at risk.
Moreover, the Commissioner's limited powers – she has only the power to issue non-binding findings – ensures that security breach investigations (as the Commissioner promised last week once the CIBC breach came to light) can yield little more than recommendations for change. There is no statutory power to require organizations to alter their privacy and security practices.
With a parliamentary committee in the midst of considering reforms to Canada's privacy law, a mandatory security breach notification requirement should move to the very top of the priority list. As millions of Canadians who shop at Winners or invest with CIBC worry about whether their personal information has been misused, it is time to remove the prospect that Canadians may be kept in the dark as their sensitive, personal information falls into the hands of identity thieves.