Canada looks to up the ante on privacy breach notification
By Vawn Himmelsbach
Retail giant TJX, which owns Winners and HomeSense in Canada, made headlines when it compromised 45.7 million customer accounts. But it also forced change. Breach notification laws, where businesses are required to notify clients in the case of a data breach, have been spreading across the U.S. Now legislative reviews of Canadian laws are heading in the same direction.
By Vawn Himmelsbach
But many Canadian businesses are still confused about what exactly
constitutes a data breach and what their legal duties are to notify
authorities, regulators and clients in the event of lost or stolen data.
That lost or stolen data could result in anything from financial harm
through identity theft to safety issues regarding personal health, says
David Loukidelis, information and privacy commissioner of British
Columbia, at the International Association of Privacy Professionals
(IAPP) conference held here last week.
In the U.S., 40 states have responded by passing laws around breach
notification. And this is the trend now across Canada, as
reviews of privacy laws are taking place both federally and
“We came up with recommendations for reform,” says
Loukidelis. This means, under certain circumstances, B.C. businesses
are required to inform clients that their data has been breached, so
risk is reduced in the future.
“We’ve been talking about it for years, but it is timely with the
federal guidelines being circulated by Industry Canada,” says Jeff
Green, vice-president of the Global Compliance and Chief Privacy Office
with RBC Royal Bank.
The Privacy Commissioner of Canada has guidelines
in place to help organizations take the right steps after a privacy
breach, as do the provinces of B.C. and Ontario. But Industry Canada is
Basically, a breach occurs when there is unauthorized access to, use or
disclosure of personal information, and when that’s in contravention of
applicable privacy legislation such as PIPEDA. Some of the most common
breaches are accidents or mistakes, says Green, such as when someone
sends a document to the wrong address or a laptop is stolen in a car ”“
or simply through faulty business procedures or operational breakdowns.
But the cost to recover from a breach is $100 to $300 per compromised
record ”“ including the cost of investigation and putting in an IT
solution to deal with future breaches. The biggest hit, however, could
be lost productivity and lost clients. “People will deal with you
differently if they’ve heard you’ve had a big breach,” says Green. In
fact, 60 per cent of consumers who received breach notification
terminated or considered terminating their relationship with the
offending company, according to the Ponemon Institute. However, almost
30 per cent of all reported breaches originated with external partners,
consultants, outsourcers or contractors.
In the U.S., the definition of sensitive information includes a
person’s name and address, but must be used in conjunction with data
that can allow access to personal information, such as a social
security number. “We need to work in more of that in the Canadian
context,” says Green.
It’s important to evaluate the risks associated with a breach to
determine immediate next steps. To whatever extent possible, determine
the cause. Was the information lost or stolen? Was the information
recovered, and does that constitute a breach? That happened at RBC,
says Green, and after a forensics team examined the offending laptop,
it found there had not been a breach, so no notification was necessary.
“No breach is the same,” he said. “There’s not a one-size-fits-all
approach.” But, he added, the likelihood that you’re going to deal with
a breach is high.
After assessing the severity of a breach, it’s possible that businesses
will have to notify law enforcement, regulators and clients, and
determine what form that notification will take ”“ possibly even issuing
a media release.
The U.S. guidelines are practical and easy to implement, said Green, so
RBC has adopted those for its global program. With the proposed changes
to PIPEDA, the overarching objective should be protection of
individuals, he added. But we need to get a better definition of what
constitutes a material breach, and any legislation should take into
account the fact that more than detection is required before reporting.
Retailers tend to be a touch-point for this, said Derek Nighbor, senior
vice-president of national affairs with the Retail Council of Canada.
Retail is a customer-driven industry and convenience rules the day.
Online sales are growing, consumers are better informed and retail
crime is becoming more organized ”“ so retailers are under more pressure
to meet these demands. Retail theft is a $3 billion industry, with $186
million in credit card fraud losses and $95 million in debit card
Despite these losses, the Retail Council of Canada has been
recommending that its members err on the side of caution and not retain
driver’s license information for means of identification. “Some of our
members have not been thrilled with us,” he says. TJX, for example,
retained driver’s licence information since November 2005.
“Less is more,” he says. “Do not ask for more information than you
need.” There should be ongoing staff training, he added, as well as a
The challenge is that many retailers are fearful that if they pick up
the phone and call the privacy commissioner, there’s going to be an
investigation and it could get blown out of proportion. Some retailers
felt they were burned in the process. “That’s one issue I’ve seen from
our membership,” says Nighbor. “It creates a disincentive to report. We
need to have a better idea as to what goes on.” Retailers also don’t
understand how far they have to go with notification, since that isn’t
outlined in the privacy guidelines.
But a lot of good has come out of the TJX breach, such as a renewed
focus on the importance of e-discovery ”“ and that’s a big part of what
we’re seeing in retail now. “It’s a four-letter word to them,” he said,
“but they know they have to do it.”