Jul 27 , 2010
Positive response to Canadian data breach law update
By Robin Arnfield, News Editor
Experts consulted by Payments Business are generally positive about a House of Commons Bill which proposes to update Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA, which provides a federal framework for data privacy in Canada, came into effect in 2004. Parliament is required to update the bill every five years.
Bill C-29 had its first reading in the House of Commons in May 2010.
It proposes to add a requirement to PIPEDA that the Federal Privacy Commissioner of Canada, Jennifer Stoddart (http://www.priv.gc.ca/index_e.cfm), must be notified about any ‘material’ data breaches that a Canadian organisation may experience. The Bill would also require organisations to notify consumers about any unauthorized access to personally identifiable information about them that could cause them actual harm.
PIPEDA in its current form does not require organisations suffering a data breach to notify the Privacy Commissioner or consumers, a feature that has led many commentators to say the law is ineffective.
“I would agree with the view that PIPEDA as it is currently constituted is toothless,” Rob Burbach, a Toronto-based senior analyst at IDC Financial Insights, says. “We don’t hear about what is happening in Canada with regard to data security breaches, and why would we, as there is currently no requirement to report them?”
There are two categories of data breach, Burbach points out. “There are hardware attacks, for example where a skimming device is attached to an ATM or POS terminal,” he says. “Then there are software breaches – cyberattacks - such as the hack into U.S.-based retailer TJX’s computer system. We hear about hardware attacks in Canada because the police tend to get involved, but we never hear about cyber-attacks in Canada.”
“I think the biggest concern is that the update introduced by Bill C-29 allows the business suffering a breach to decide whether it is material before disclosing it to the Privacy Commissioner,” says Canadian privacy lawyer and consultant Fazila Nurani. “This decision is in the business’s hands. Also, it is up to the business to decide whether any individuals are damaged as a result of the breach and whether to notify them.”
However, Nurani, who is president and founder of PrivateTech Consulting, says that the Bill is a step in the right direction. “A lot of work has gone into the consultations that led to the Bill being published,” she says. “I would think that it could pass into law in 2011.”
Organisations experiencing a data breach are required to make a decision as to whether to report the incident, based on the criterion of whether a ‘reasonable person’ would make such a judgement. “There is a lot of well-tested case law in Canada about ‘reasonable persons,’ Nurani says. “Any firm making a decision on reporting breaches will realize that their decision-making processes could be examined in court to see if they are ‘reasonable.’”
Nurani argues that one strength of PIPEDA in its current form is that the Privacy Commissioner has the power to name organizations whose data protection policies are inadequate. People who are affected by a data breach can complain to the Privacy Commissioner’s office, and request an investigation.
“Under PIPEDA, the Privacy Commissioner cannot impose fines, but she can make her findings public and issue recommendations, and she can even go to court if her findings are ignored,” Nurani says. “No organization will want to be named and shamed by the Privacy Commissioner, so they will most likely want to comply with her recommendations.”
“Canadian businesses are aware that in other countries such as the U.S., there is a requirement for organisations to report data breaches,” John Weigelt, National Technology Officer, Microsoft Canada, says. “I think Canadian organisations will be willing to collaborate with the Privacy Commissioner and notify her of breaches.”
“It would be great for Canadian consumers if PIPEDA added a requirement to report any data breaches,” Burbach says. “If there is a requirement to report breaches, then you will see firms investing in data security technologies because the reputational risk of suffering a breach is so enormous.”
Nurani says that provincial Canadian data privacy laws such as Alberta’s are tougher than PIPEDA. “Under the province of Alberta’s law, firms are mandated to report all breaches to the Albertan privacy commissioner, irrespective of whether it is material or whether any individuals are damaged by the breach,” she says.
Bill C29 is a move in the right direction because it institutes mandatory notification for the first time,” says Phil Neray, vice-president of security strategy for Guardium, an IBM company. “Where it lacks teeth is in areas such as financial penalties, timeliness of disclosures, the need for preventive controls – and giving organizations less discretion in deciding when and if disclosure must occur. The big question is: why would a company, left to self-regulate, risk the financial and reputational backlash associated with disclosing a data breach?”