Appeared in the Toronto Star on May 31, 2010 as Security breach disclosure bill has bark but no bite
Last week Industry Minister Tony Clement unveiled two bills touted as important components of the government’s national digital strategy. The Fighting Internet and Wireless Spam Act is a repeat of the anti-spam bill that passed through the House of Commons last year but died after Parliament prorogued. Since the new bill reflects roughly the same compromise that garnered all-party support, it should receive swift passage.
My weekly technology law column argues that the second bill, the Safeguarding Canadians' Personal Information Act, is likely to be far more controversial. The bill amends Canada’s existing privacy legislation by establishing new exceptions for businesses and new powers for law enforcement.
The centrepiece is a long overdue security breach disclosure requirement. Over the past seven years, virtually every U.S. state has enacted disclosure rules that compel organizations that suffer a security breach that places personal information at risk to promptly disclose that fact to the affected individuals. By mandating notification, the laws ensure that individuals are better able to guard against identity theft by closely monitoring their credit card bills, bank accounts, and credit reports for any unusual activity.
From a business perspective, the laws create a strong incentive to protect personal information since the notification process is both expensive and embarrassing. Moreover, the laws have persuaded some organizations to rethink the amount of personal information they retain, since mounting data collection and retention increases the damaging consequences of a security breach.
The Canadian proposal establishes two requirements. First, businesses are required to report a "material breach of security safeguards involving personal information under its control" to the Privacy Commissioner. The business determines whether the breach meets this standard by assessing the sensitivity of the information, the number of individuals affected, and whether there is a systemic security problem.
Second, businesses are required to notify individuals affected by the breach "if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual." The business makes its own determination of whether there is a real risk by considering the sensitivity of the information and the probability that the personal information will be misused.
While the bill is better than the current situation where there is no security breach disclosure requirement, it falls far short of the rules found elsewhere. The government’s proposal sets a very high threshold for disclosure of a breach and contains no clear penalties for non-disclosure.
By comparison, the California law establishes a threshold of whether an unauthorized person acquired the information, not whether there is real risk of significant harm (other states merely require harm, not significant harm). Moreover, the California law requires disclosure in the most expedient time possible and without unreasonable delay – far quicker than the Canadian plan.
Some states also establish tough penalties for failure to promptly notify. For example, Florida's law provides for penalties of up to US$500,000 for failure to notify affected individuals and up to US$50,000 for failure to document non-notifications of security breaches.
Security breach disclosure was widely recognized as a major hole in the Canadian law framework, yet this proposal is a disappointment that falls short of striking the right balance between protecting Canadians, encouraging appropriate safeguards of personal information, and guarding against overwhelming Canadians with too many notices.
In fact, with no penalties for failure to notify security breaches, the provisions may do more harm than good. If it becomes law, Canadians will expect to receive notifications in the event of a breach, but companies may err on the side of not notifying, safe in the knowledge that there are no established financial penalties for failing to do so.