But many Canadian businesses are still confused about what exactly constitutes a data breach and what their legal duties are to notify authorities, regulators and clients in the event of lost or stolen data.

That lost or stolen data could result in anything from financial harm through identity theft to safety issues regarding personal health, says David Loukidelis, information and privacy commissioner of British Columbia, at the International Association of Privacy Professionals (IAPP) conference held here last week.

In the U.S., 40 states have responded by passing laws around breach notification. And this is the trend now  across Canada, as reviews of privacy laws are taking place both federally and provincially.

“We came up with recommendations for reform,” says Loukidelis. This means, under certain circumstances, B.C. businesses are required to inform clients that their data has been breached, so risk is reduced in the future.

“We’ve been talking about it for years, but it is timely with the federal guidelines being circulated by Industry Canada,” says Jeff Green, vice-president of the Global Compliance and Chief Privacy Office with RBC Royal Bank.

The Privacy Commissioner of Canada has guidelines in place to help organizations take the right steps after a privacy breach, as do the provinces of B.C. and Ontario. But Industry Canada is proposing reforms.

Basically, a breach occurs when there is unauthorized access to, use or disclosure of personal information, and when that’s in contravention of applicable privacy legislation such as PIPEDA. Some of the most common breaches are accidents or mistakes, says Green, such as when someone sends a document to the wrong address or a laptop is stolen in a car ”“ or simply through faulty business procedures or operational breakdowns.

But the cost to recover from a breach is $100 to $300 per compromised record ”“ including the cost of investigation and putting in an IT solution to deal with future breaches. The biggest hit, however, could be lost productivity and lost clients. “People will deal with you differently if they’ve heard you’ve had a big breach,” says Green. In fact, 60 per cent of consumers who received breach notification terminated or considered terminating their relationship with the offending company, according to the Ponemon Institute. However, almost 30 per cent of all reported breaches originated with external partners, consultants, outsourcers or contractors.
In the U.S., the definition of sensitive information includes a person’s name and address, but must be used in conjunction with data that can allow access to personal information, such as a social security number. “We need to work in more of that in the Canadian context,” says Green.