Sun
Privacy experts often advise people that, in order to avoid having their identities stolen, they must take control and be extremely careful about how and to whom they reveal personal information.
That’s good advice, but if you keep a bank account, or buy anything from clothing to health care services, you will inevitably have to give up some control, to divulge certain personal information.
That means the businesses that possess your personal information should also be subject to stringent regulations and should take all possible measures to prevent your information from falling into the wrong hands.
And to be sure, most businesses do take their responsibilities seriously, and are subject to various legislation, from the federal Personal Information Protection and Electronic Documents Act (PIPEDA) to British Columbia‘s Personal Information Protection Act.
Yet security breaches do occur: Several high-profile incidents — involving Winners, HomeSense and CIBC’s Talvest Mutual Funds — have occurred in recent months.
When such breaches happen, the primary concern is whether the organizations that suffer the breach should be required to notify individuals who might be affected. While more than half of U.S. states require mandatory disclosure in such cases, and include financial penalties for failure to do so, the only Canadian legislation with a similar provision is Ontario‘s Personal Health Information Protection Act.
Consequently, Industry Canada, which is conducting a review of PIPEDA, has launched public consultations. Industry Canada itself has advocated a requirement to disclose certain breaches of privacy, but only those where there is “a high risk of significant harm to individuals or organizations.”
Many privacy experts and consumer advocates consider this problematic because it could set the bar for disclosure too low. Further, it could give organizations considerable discretion to decide when to disclose breaches, which is worrying given that organizations will naturally be reluctant to publicize the fact that their security measures have failed.
The consequence of this position, warn privacy experts, is that individuals might never know that they’re at risk of identity theft despite taking considerable precautions to protect themselves.
On the other hand, some privacy experts, including B.C. Privacy Commissioner David Loukidelis, have argued that there is no evidence that the strict mandatory disclosure requirements in U.S. legislation have proven to be cost-effective in reducing the risk of identity theft.
There are, after all, a variety of models that could be followed. Legislation could require disclosure whenever an unauthorized person has accessed databases containing personal information, or only if there is reason to believe the unauthorized person has actually acquired personal information, or only if there is a significant threat of identity theft.
Similarly, there are several models concerning to whom disclosure ought to be made. Some experts suggest that organizations ought to disclose all breaches to their clients, while others suggest that organizations should notify a provincial or federal privacy commissioner if a relatively insignificant breach occurs, with the privacy commissioner determining if individuals ought to be informed.
Clearly, this is an issue about which there are many different views. But just as clearly, virtually everyone seems to agree on a few basic points, points that should be included in any amendment to privacy legislation.
First, it’s essential that Canadian privacy legislation include some provisions for mandatory disclosure of security breaches. Second, the requirements must be backed up by the ability to levy significant financial penalties against the businesses that fail to disclose the information.
Third, whatever threshold is chosen for disclosure, it must at least be an objective standard, so that organizations aren’t given so much discretion that they can effectively exempt themselves from the requirements.
© The Vancouver Sun 2007
