Privacy took centre stage in Canada late last week as TJX Cos., the parent company of retail giants Winners and HomeSense, disclosed that as many as two million Canadian credit cards may have been accessed by computer hackers. Less than 24 hours later, the CIBC revealed that account information for 470,000 customers had been lost when a computer file went missing while in transit between company offices.
These two incidents, which follow a steady stream of similar security breaches in the United States, highlight the fragility of sensitive, personal information that is entrusted to Canadian businesses as well as the inadequacy of current Canadian privacy legislation. Business groups have cautioned against privacy law reforms, yet as the risk of identity theft grows, the calls for change are likely to become more vocal.
Over the past two years, dozens of U.S. states have enacted security breach disclosure legislation. These laws require organizations that suffer a security breach that places personal information at risk to promptly disclose that fact to the affected individuals. By mandating notification, the laws ensure that individuals are better able to guard against identity theft by closely monitoring their credit card bills, bank accounts, and credit reports for any unusual activity.
From a business perspective, the laws create a strong incentive to protect personal information since the notification process is both expensive and embarrassing. Moreover, the laws have persuaded some organizations to rethink the amount of personal information they retain, since mounting data collection and retention increases the damaging consequences of a security breach.
As a result of these laws, there have been dozens of notifications from retailers (the TJX Cos. disclosure may well have been in response to a U.S. legal requirement), data aggregators, and educational institutions. Given the overlapping state notification laws, many U.S. privacy observers expect the U.S. Congress to soon enact a national notification requirement.
While the U.S. pushes forward with security breach disclosure legislation, Canadian business has argued strongly against similar reforms. The Information Technology Association of Canada, which features representatives from companies such as BCE, Telus, Rogers, Microsoft, Nortel, and Research in Motion on its board of directors, warned against mandatory notification legislation in an appearance before a parliamentary committee last month.
ITAC representatives, who expressed support for a legal framework under which the Privacy Commissioner would have no order making power and would not identify the companies subject to privacy complaints, claimed that "many organizations currently contact the Office of the Privacy Commissioner to get guidance on how to deal with security breaches" and that "mandatory notification requirements would result in notification fatigue for customers."
The ITAC position implicitly acknowledges that security breaches that place Canadians' personal information at risk are a regular occurrence, yet the organization rejects any requirement for business to disclose the breaches to their customers or be identified in the event that they are subject to a complaint over the incident.
Appearing before the same committee, Privacy Commissioner of Canada Jennifer Stoddart admitted that Canadian law "does not require organizations to take any specific actions in the event of an unauthorized disclosure." Moreover, Stoddart added that “breach notification laws may force organizations to take security more seriously. They may provide individuals with an early warning system to make them better prepared to deal with the risk of identity theft and other harms that might result from a privacy breach."
What the Commissioner neglected to say is that the current complaints-driven privacy law framework is ill-equipped to adequately address security breaches. Individuals must be aware of an alleged privacy violation in order to file a complaint. In the case of a security breach, unless the organization notifies their customers, individuals typically only become aware of the situation once their credit cards become overdrawn or their bank account is cleaned out. Indeed, Phonebusters, a Canadian consumer fraud group, reports that it receives thousands of complaints from victims of identity theft each year with millions of dollars placed at risk.
Moreover, the Commissioner's limited powers – she has only the power to issue non-binding findings – ensures that security breach investigations (as the Commissioner promised last week once the CIBC breach came to light) can yield little more than recommendations for change. There is no statutory power to require organizations to alter their privacy and security practices.
With a parliamentary committee in the midst of considering reforms to Canada's privacy law, a mandatory security breach notification requirement should move to the very top of the priority list. As millions of Canadians who shop at Winners or invest with CIBC worry about whether their personal information has been misused, it is time to remove the prospect that Canadians may be kept in the dark as their sensitive, personal information falls into the hands of identity thieves.
Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at email@example.com or online at www.michaelgeist.ca.