PIPEDA Hearings – Days 9 (banking industry) and 10 (Chamber of Commerce, Insurance)

The PIPEDA hearings resumed this week appearances by groups from the banking sector, the Canadian Chamber of Commerce, and the insurance industry.  CIPPIC has details on day nine and ten.  The committee is now focused almost exclusively on a single issue – security breach notification legislation.  There appears to be unanimous support for reform, including from the Conservative members of the committee who have previously expressed concern about the costs associated with private legislation. 

The business representatives are demonstrating near-complete cluelessness on the issue, adamantly opposing mandatory notification.  Indeed, yesterday the chair of the committee advised the Chamber of Commerce, which included a representative from Bell Canada, that the B.C. and Ontario privacy commissioners had already released guidelines on the issue.  The writing is clearly on the wall here – security breach notification is a matter of how, not if.  Business groups would do themselves a favour by working with all stakeholders on an effective Canadian provision, rather than maintaining that no change is needed.


  1. This legislation should include more than just disclosing that it happened. It should also follow some sort of co-operation with government offices such that an impact-statement, written by the government, can inform people of the implications of the disclosure and any action they need to take to mitigate the risk.

    For example when TD released hundreds of corporate banking email addresses to hundreds of different people during their ‘Small Business Banking Pilot’ they notified that they mistakenly shared the emails and that the list might be used to send unsolicted email.

    What they refused outright to do [despite being asked] was to notify the affected customers of the security implications of a hacker having a list of the emails of hundreds of corporate banking customers. They refused to notify their customers of the need to ensure that their computer systems were patched and up-to-date to prevent malicious use of that list.

    Instead, they chose to leave the accounts completely vulnerable, and they remain vulnerable to this day.

    This legislation should include some sort of provision to allow the government a voice in the official notification process.

  2. Dwight Williams says:

    Banks’ Rebellion?
    Not exactly encouraging…

  3. banker
    Having worked inside banks for many years, I can’t believe
    what goes on at the corporate level. Breaches of security/privacy are common and viewed as ‘play’ by some groups. CIBC loses half a million customers personal information.. come on…