With security breaches regularly affecting millions (or even billions) of people, effective security breach disclosure rules are an essential part of a modern privacy law framework. It may surprise many to learn that Canada still does not have mandatory security breach disclosure rules that require companies to notify affected individuals in effect. Rules were passed in 2015, but the accompanying regulations were puzzlingly slow to emerge. The government finally released proposed regulations late in the summer with a consultation that closed earlier this week. My submission, which focused on implementation, content of notices, and proposed “indirect” notification, is posted below.
Post Tagged with: "security breach"
While it was overshadowed by the headlines over potential copyright reform, Peter Van Loan, the government’s House leader, disclosed last week that the government is planning to send Bill S-4, the Digital Privacy Act, to the Industry Committee for review prior to second reading. The bill, which has proven controversial due to a provision that expands the possibility of voluntary disclosure of subscriber information and relatively weak security breach disclosure rules, will be open to more significant reforms that previously thought possible (my remarks before the Senate committee can be found here). Under Parliamentary rules, referring a bill before second reading allows the committee to alter the scope of the bill.
Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure
Earlier this week, the government introduced the Digital Privacy Act (Bill S-4), the latest attempt to update Canada’s private sector privacy law. The bill is the third try at privacy reform stemming from the 2006 PIPEDA review, with the prior two bills languishing for months before dying due to elections or prorogation.
The initial focus has unsurprisingly centered on the new security breach disclosure requirements that would require organizations to disclose breaches that puts Canadians at risk for identity theft. Security breach disclosure rules are well-established in other countries and long overdue for Canada. The bill fixes an obvious shortcoming from the earlier bills by adding some teeth to the disclosure requirements with the addition of penalties for violations of the law. Moreover, Bill S-4 stops short of granting the Privacy Commissioner full order making power as is found at the provincial level, but the creation of compliance orders has some promise of holding organizations to account where violations occur.
Despite those positive proposed changes to Canadian privacy law, the bill also includes a provision that could massively expand warrantless disclosure of personal information.
Last week, the Privacy Commissioner of Canada released her vision of privacy reform, including the need for security breach disclosure legislation, order-making power, and greater transparency of warrantless disclosure. On the same day as Commissioner Stoddart released her position paper, the government was embarrassing itself in the House of Commons by formally opposing security breach disclosure legislation on the weakest of grounds. The opposition to meaningful privacy reform is particularly discouraging given the thousands of breaches that have occurred in recent years from within the government itself and its claims to be concerned with the privacy of Canadians.
The government introduced legislation featuring security breach disclosure requirements in Bill C-12 in September 2011 (itself a reintroduction of the former C-29 that was first introduced in 2010). Since first reading, the bill has not moved. It would take very little for the government to complete second reading and send the bill for study to committee, yet more than a year and a half later, the bill languishes, certain to die this summer when the government hits the parliamentary reset button. Frustrated by the inexplicable delays, NDP MP Charmaine Borg introduced a private member’s bill in February (C-475) that includes a mandatory security breach requirement roughly similar to the government’s own bill.
As Canadians focused last week on the aftermath of the Boston Marathon bombing and the RCMP arrests of two men accused of plotting to attack Via Rail, the largest sustained series of privacy breaches in Canadian history was uncovered but attracted only limited attention. Canadians have faced high profile data breaches in the past – Winners/HomeSense and the CIBC were both at the centre of serious breaches several years ago – but last week, the federal government revealed that it may represent the biggest risk to the privacy of millions of Canadians as some government departments have suffered breaches virtually every 48 hours.
The revelations came as a result of questions from NDP MP Charlie Angus, who sought information on data, information or privacy breaches in all government departments from 2002 to 2012. The resulting documentation is stunning in its breadth.
My weekly technology column (Toronto Star version, homepage version) notes that virtually every major government department has sustained breaches, with the majority occurring over the past five years (many did not retain records dating back to 2002). In numerous instances, the Privacy Commissioner of Canada was not advised of the breach.