Canada’s proposed new law on data breaches is a toothless piece of legislation that amounts to little more than a sugar pill when it comes to protecting consumers’ privacy and personal information, an Ottawa-based watchdog group said Monday.
In its report “Data Breaches: Worth Noticing?”, the Public Interest Advocacy Centre (PIAC) recommends toughening Bill C-12, proposed federal legislation introduced in Parliament in 2010 to safeguard Canadians against data breaches.
Bill C-12, which would amend the current Personal Information Protection and Electronic Documents Act (PIPEDA), died on the Order Paper and was reintroduced in Parliament last year. It will be renumbered once again and reintroduced in the House this spring, Lawford said, where it will probably be studied by the industry, science and technology committee.
“(C-12) is like a placebo. It looks like you have protection but you really don’t,” said John Lawford, counsel at PIAC and co-author of the report.
PIAC’s biggest beef with C-12’s current incarnation is that it only calls for voluntary reporting of breaches. PIAC wants mandatory reporting “of all data breaches to the relevant privacy commissioner either as soon as reasonably possible or within a short time window such as 48 hours,” the report states.
“We want a data breach law. But I think this particular law actually risks making things worse for consumers because it looks like you’ve got a law but you don’t. What you’ve got is a voluntary reporting system with all the discretion for reporting with the company (versus consumers),” Lawford said.
PIAC also said in the report it wants to see “clear monetary penalties” for not reporting breaches, but stops short of spelling out a suggested dollar figure.
Only four provinces presently have mandatory reporting laws in place for data breaches. Laws in Ontario, New Brunswick and Newfoundland require mandatory reporting, but only for breaches involving health care data. In May 2010 Alberta brought in laws requiring reporting of all types of data breaches, the only province so far to do so.
Allowing data breaches to be reported voluntarily seems to be discouraging companies and organizations to disclose such incidents, Lawford said. He pointed out that although breaches voluntarily reported to the Office of the Privacy Commissioner of Canada (OPPC) fell from 65 in 2008 to 44 in 2010, the number of breaches reported in Alberta jumped more than threefold from 15 to 49 incidents after the province brought in mandatory reporting laws.
“Overall it’s easy to see that companies are not falling over themselves to report this and if the (federal or provincial) privacy commissioner is not sort of unofficially sending out the message that ‘You better tell me under these guidelines,’ then (companies) think they don’t have to,” Lawford said.
Though federal privacy commissioner Jennifer Stoddart was not available for an interview by ITBusiness.ca’s deadline, spokesman Scott Hutchinson emailed a statement saying the OPCC “generally believes Bill C-12 takes a reasonable approach with regard to consumer notification. As now written, this is very similar to the steps outlined by our voluntary guidelines.”
Under Ontario’s Personal Health Information Protection Act (PHIPA), health care breaches have to be reported to affected patients but not to the federal or provincial privacy commissioner, says Ontario’s assistant privacy commissioner Ken Anderson. But many cases involving “a high number of people or files … or a big sensitivity” are usually reported to the Information and Privacy Commissioner (IPC) of Ontario anyway, Anderson said.
Although the IPC can’t levy fines or impose penalties for breaches in the traditional legal sense, the agency has “never had a non-compliance” case yet where its orders or recommendations have not been followed after a breach disclosure, he said.
Emphasizing that he had not had a chance to get through PIAC’s entire 116-page report, Anderson said the issue of mandatory reporting overall involves a lot of variables and nuances that could make it hard to legislate and enforce with a blanket provision to disclose all breaches all the time.
“(If reporting is) mandatory in all cases, you could have things that are technically a breach but are quite trivial. And what are the criteria that constitute a breach? If you say you can’t find your USB key in your office? So there’s a whole set of things one has to think about in terms of triggering it,” Anderson said. “It’s not as simple a question as it seems at first blush.”
Drawing up rules for mandatory reporting wouldn’t be easy, Anderson said. Even if a rule was made requiring only breaches of unencrypted data to be disclosed, that would assume all encryption methods and programs are of a high enough standard to protect privacy and personal data, he said.
“Encryption changes. It’s evolving all the time. You have to keep pace with the current publicly available, reasonable standards,” Anderson said.
The PIAC study argues there’s a business case for mandatory breach disclosure. It points to the April 2011 breach of Sony PlayStation security when an estimated 10 million users may have had their credit card information leaked. Sony did not publicly announce that any credit card data may have been compromised until two weeks after the breach took place. Some legal experts say the entire incident could cost Sony an estimated $3 billion in recovery, insurance and liability costs, with its delay in disclosure a possible factor in potential lawsuits by PlayStation customers.