Privacy Breaches Expose Flaws in the Law

My weekly Law Bytes column (Toronto Star version, homepage version) focuses on the need for Canadian privacy reform in light of last week's security breaches involving CIBC and retailer giant Winners.  I note that these two incidents highlight the fragility of sensitive, personal information that is entrusted to Canadian businesses as well as the inadequacy of current Canadian privacy legislation.  Business groups have cautioned against privacy law reforms, yet as the risk of identity theft grows, the calls for change are likely to become more vocal. 

While the U.S. pushes forward with security breach disclosure legislation, Canadian business has argued strongly against similar reforms.  The Information Technology Association of Canada, which features representatives from companies such as BCE, Telus, Rogers, Microsoft, Nortel, and Research in Motion on its board of directors, warned against mandatory notification legislation in an appearance before a parliamentary committee last month.
ITAC representatives, who expressed support for a legal framework under which the Privacy Commissioner would have no order making power and would not identify the companies subject to privacy complaints, claimed that "many organizations currently contact the Office of the Privacy Commissioner to get guidance on how to deal with security breaches" and that "mandatory notification requirements would result in notification fatigue for customers."  

The ITAC position implicitly acknowledges that security breaches that place Canadians' personal information at risk are a regular occurrence, yet the organization rejects any requirement for business to disclose the breaches to their customers or be identified in the event that they are subject to a complaint over the incident.

Appearing before the same committee, Privacy Commissioner of Canada Jennifer Stoddart admitted that Canadian law "does not require organizations to take any specific actions in the event of an unauthorized disclosure." Moreover, Stoddart added that "breach notification laws may force organizations to take security more seriously. They may provide individuals with an early warning system to make them better prepared to deal with the risk of identity theft and other harms that might result from a privacy breach."

What the Commissioner neglected to say is that the current complaints-driven privacy law framework is ill-equipped to adequately address security breaches.  Individuals must be aware of an alleged privacy violation in order to file a complaint. In the case of a security breach, unless the organization notifies their customers, individuals typically only become aware of the situation once their credit cards become overdrawn or their bank account is cleaned out. Indeed, Phonebusters, a Canadian consumer fraud group, reports that it receives thousands of complaints from victims of identity theft each year with millions of dollars placed at risk.

Moreover, the Commissioner's limited powers – she has only the power to issue non-binding findings – ensures that security breach investigations (as the Commissioner promised last week once the CIBC breach came to light) can yield little more than recommendations for change.  There is no statutory power to require organizations to alter their privacy and security practices.

With a parliamentary committee in the midst of considering reforms to Canada's privacy law, a mandatory security breach notification requirement should move to the very top of the priority list.  As millions of Canadians who shop at Winners or invest with CIBC worry about whether their personal information has been misused, it is time to remove the prospect that Canadians may be kept in the dark as their sensitive, personal information falls into the hands of identity thieves.


  1. Having been the victim of a disclosure of personal information at the hands of TD Bank and having them take absolutely no effort to notify the other customers of the severity of the disclosure, even after I explicitly asked them to; I for one think the banks and corporations have majorly dropped the ball, just don’t care, and need to be regulated in this area with steep fines for non-compliance.

    This situation came about when a pilot program email was cc’d [instead of BCC’d] to over 500 corporate banking customers. Disclosing email addresses normally doesn’t have a lot of value but in the context of corporate banking administration email accounts, they have a lot more value. TD sent out minimal notices, acknowleding only a spam problem that it created when a Derick Scott used the list to send UCE. They never publically acknowledged the security risks or notified their customers of them despite being directly asked to.

    There should also be phishing laws where the design of a system can be reasonably predicted to lead to phishing fraud. Interac Online — I’m looking at you. The CUCBC has looked at the probability for phising within the Interac Online system and found them to be high. Yet a number of Canadian banks are going forward with this program despite having been notified of the dangers.

    CUCBC MemberDirect Report [pdf]

    There are also some concerns around online fraud with regards to the INTERAC Online service, as the probability of phising attacks against this service is high. Increased online security may be required before this service is implemented as a feature of MemberDirect Services.”

    It is only the consumer who gets hurt, and the banks make their service fees. Time for regulation in this space — privacy and security is not being taken seriously.

  2. I agree completely with the last paragraph in the above comment.

    I would go further, and say it should be criminal if sensitive private data held by a company is not being mininally secured according to some legislated standard.

    It is stupid that this stolen data was not encrypted. If it were encrypted, other people couldn’t use it. SIMPLE. People should be criminally punished for being so stupid, and almost surely exposing these poor victims to certain crime. Policies for encrypting this data wouldn’t be hard to implement. It’s beyond negligence that they were not by these companies. Companies like winners that don’t have a flying S*** about their security policies are enabling criminals, and I don’t see a gross distinction between a criminal and one who by wilful negligence begs criminals to steal data the company is holding in trust.

    At the very least, I wonder if this company could be sued.

    Maybe the companies opposing the breach notification law have a point. Regulations like those proposed might not be a good fit for certain situations, or overkill, or conflict with other laws. So, those concerns could be addressed, I am sure. The status quo isn’t working though, and companies like winners need that drilled into them (or hopefully drilled out of their bottom line, with an enormous obligation to a lost lawsuit.)

    But in any case, that’s not main the problem. The problem is just plain idiocy. IDIOCY. If people could be sued big time for being so cavalier with information they choose to be entrusted with, it might go some way to helping solve the problem. There has to be some method of eventual accountability, even if it isn’t provided in part by these particular proposed notification obligations.

  3. Comprimised CIBC client says:

    Just a short follow-up: It took 5 phone calls to CIBC numbers to reveal: 1) CIBC farmed out client follow-up to a contracted call centre! 2) their client letter was hopelessly vague on any indication of the degree of the breach with my personal information 3) the letter indicated that they were enrolling me in a ‘credit monitoring service’ at no cost to me 4) the monitoring service was merely a free service: placing a fraud flag on my credit files with only 2 of the 3 national credit reporting agencies 5) ALL my pertinent personal information was on this lost backup file 6) CIBC will not tell me if they even encrypted the data in the lost backup file 7) CIBC privacy statement in bold reads: “Your privacy is protected…We are accountable” 8) CIBC refuses to provide clients with a real Credit Monitoring Service as stated in their client letter (usually about $15/month…but hey, I’m the one who will forever be looking over my shoulder wondering when my double will ruin my credit rating or worse commit criminal fraud using my identity).
    My sorry lesson: CIBC does NOT respect client privacy, does NOT appear to be interested in client satisfaction nor retention.
    Checkout the Privacy Commissioner’s website to see other CIBC boondogles. My perception is that CIBC is not taking client privacy matters seriously despite current legislation.