Group calls for security breach notification law
The Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the
University of Ottawa is calling on the federal government to enact
legislation requiring organizations to notify individuals when their
personal information is exposed to potential thieves and fraudsters as a
result of a security breach.
A White Paper released by CIPPIC
reviews breach notification laws enacted by more than thirty American states so
far, and argues that the federal government should have similar protections
in place for Canadians.
During its review of the Personal Information Protection and Electronic
Documents Act last November and December, the House of Commons Standing
Committee on Access to Information, Privacy and Ethics heard from many
witnesses who called for a security breach notification law in Canada.
"The absence of a clear requirement for notification in the case of security
breaches is a glaring gap in our existing data protection law", said
Philippa Lawson, Director of CIPPIC and co-author of the report. "There is
no market incentive for organizations to admit to security breaches if they
don’t have to. Individuals whose personal data has been acquired by an
identity thief from an organization with whom they do business will most
likely never know of the breach and so won’t be able to take measures to
prevent subsequent fraud in their name. And without the prospect of costly
notification and reputational loss, there is less incentive for
organizations to beef up their security."
A recent poll by HarrisInteractive indicates that, of the estimated 49
million Americans who were notified of unauthorized access to their personal
information during the past three years, 19 per cent (about 9.3 million people)
believe that something harmful happened to them as a result of the breach.
Such harm included merchandise charged in their name (43 per cent), some kind of
fraud costing them money (35 per cent), money taken from their bank account (18 per cent), a
credit card taken out in their name (11 per cent), or someone posing as them to get
a benefit or service (8 per cent).
"While there’s a case to be made that notification obligations are implicit
in the Act’s requirements for security safeguards, such obligations should
be made explicit along with clear criteria and guidelines so that
organizations faced with a security breach know what they have to do", said
CIPPIC’s White Paper is available online at www.cippic.ca .