The Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the
University of Ottawa is calling on the federal government to enact
legislation requiring organizations to notify individuals when their
personal information is exposed to potential thieves and fraudsters as a
result of a security breach.
A White Paper released by CIPPIC
reviews breach notification laws enacted by more than thirty American states so
far, and argues that the federal government should have similar protections
in place for Canadians.
During its review of the Personal Information Protection and Electronic
Documents Act last November and December, the House of Commons Standing
Committee on Access to Information, Privacy and Ethics heard from many
witnesses who called for a security breach notification law in Canada.
"The absence of a clear requirement for notification in the case of security breaches is a glaring gap in our existing data protection law", said Philippa Lawson, Director of CIPPIC and co-author of the report. "There is no market incentive for organizations to admit to security breaches if they don't have to. Individuals whose personal data has been acquired by an identity thief from an organization with whom they do business will most likely never know of the breach and so won't be able to take measures to prevent subsequent fraud in their name. And without the prospect of costly notification and reputational loss, there is less incentive for organizations to beef up their security."
A recent poll by HarrisInteractive indicates that, of the estimated 49 million Americans who were notified of unauthorized access to their personal information during the past three years, 19 per cent (about 9.3 million people) believe that something harmful happened to them as a result of the breach. Such harm included merchandise charged in their name (43 per cent), some kind of fraud costing them money (35 per cent), money taken from their bank account (18 per cent), a credit card taken out in their name (11 per cent), or someone posing as them to get a benefit or service (8 per cent).
"While there's a case to be made that notification obligations are implicit in the Act's requirements for security safeguards, such obligations should be made explicit along with clear criteria and guidelines so that organizations faced with a security breach know what they have to do", said Lawson.
CIPPIC's White Paper is available online at www.cippic.ca .
Last modified on August 07, 2008
"The absence of a clear requirement for notification in the case of security breaches is a glaring gap in our existing data protection law", said Philippa Lawson, Director of CIPPIC and co-author of the report. "There is no market incentive for organizations to admit to security breaches if they don't have to. Individuals whose personal data has been acquired by an identity thief from an organization with whom they do business will most likely never know of the breach and so won't be able to take measures to prevent subsequent fraud in their name. And without the prospect of costly notification and reputational loss, there is less incentive for organizations to beef up their security."
A recent poll by HarrisInteractive indicates that, of the estimated 49 million Americans who were notified of unauthorized access to their personal information during the past three years, 19 per cent (about 9.3 million people) believe that something harmful happened to them as a result of the breach. Such harm included merchandise charged in their name (43 per cent), some kind of fraud costing them money (35 per cent), money taken from their bank account (18 per cent), a credit card taken out in their name (11 per cent), or someone posing as them to get a benefit or service (8 per cent).
"While there's a case to be made that notification obligations are implicit in the Act's requirements for security safeguards, such obligations should be made explicit along with clear criteria and guidelines so that organizations faced with a security breach know what they have to do", said Lawson.
CIPPIC's White Paper is available online at www.cippic.ca .
Published in
News
Tagged under
Latest from Jennifer Brown
-
Nominations now open for 2012 Security Director of the Year
We are now accepting nominations for the 2012 Security Director of the Year. Do you know someone who fits that…
Latest Videos
-
Thomas Gerstenecker was unable to accept the Canadian Security Director of the Year award in person but was able to… -
-
-
