The Parliament of Canada recently introduced Bill C29, also known as an act that amends the Personal Information Protection and Electronic Documents Act (PIPEDA).
The new proposal makes it mandatory for businesses to notify consumers when their personally identifiable information (PII) has been breached, and it clarifies ambiguities in the original legislation – but does it go far enough?
If a breach falls in the forest…
U.S. breaches are front-page news on a weekly basis – but rarely in Canada. Does that mean Canadian companies have better security controls? Are they less frequently targeted by cybercriminals looking for credit card numbers, Social Security numbers and other identity information? Or frankly, does it mean they are sweeping data breaches under the rug because they're not required to report when consumers may be at risk?
Meanwhile, there has been a substantial increase in the number of breaches reported in the U.S. since 2003, when California's SB 1386 went into effect, requiring U.S. companies to alert customers in California to potential data breaches. Since then, blockbuster breaches such as Heartland and TJX have been reported, driving 44 other states to follow California's lead – including Massachusetts, which may have the strictest data law in the United States – and encouraging other countries to consider creating and enforcing breach notification laws.
Although PIPEDA was first passed in the late 1990s and came fully into effect in 2004, this is the first time the Canadian government has attempted to define a data breach notification mandate at the federal level. A set of voluntary guidelines on dealing with breaches was published in 2007 by the federal privacy commissioner – but those guidelines are not legally enforceable.
The new law brings a number of important enhancements to PIPEDA, including clarifying when law enforcement agencies and other “lawful authorities” can request non-public information about individuals. It also excludes “business contact information” from PIPEDA's privacy provisions – including name, title, and work contact details such as email address – because this is essentially the same information that's often freely handed out on a business card.
The most significant clause would require banks, retailers and other companies to report any "material breach of security safeguards involving personal information under their control.” But the definition of “material breach” remains open to an individual company's interpretation.
In particular, the proposed bill states that:
- In determining whether a breach is material, businesses must consider the sensitivity of the information and whether the cause of the breach or pattern of breaches indicates a systemic issue.
- Notification to affected individuals will be required if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to the individuals whose personal information is involved.
- “Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property.
- Factors relevant to determining whether there is a real risk of significant harm include the sensitivity of the information and the probability that the information has been, is being or will be misused.
In other words, the bill states that companies have the right to determine whether to even disclose a breach based on the type of information stolen, number of customers affected and whether the company thinks there's a real risk of significant harm to the individual(s).
In comparison, U.S. state laws stipulate mandatory disclosure whenever personal information has been acquired by an unauthorized person, or whenever there is risk of any harm (not just “significant harm”). Also, unlike C-29, which contains no clear penalties for failure to disclose a breach, U.S. state laws also establish harsh monetary penalties for failure to promptly comply (such as up to $750,000 in Michigan).
Massachusetts – A model data breach law?
The Massachusetts law goes far beyond C-29, and is considered a potential standard for more stringent data security legislation. It establishes a clear legal standard of “due care” – the level of diligence that a prudent and competent expert would exercise under a given set of circumstances – which could make it easier for plaintiffs in civil lawsuits to sue negligent organizations.
This approach is gaining momentum because many banks are eager to shift the high cost of credit card fraud and consumer notification letters to those organizations that are often responsible for the initial data breach, such as retailers with weak security controls.
The Massachusetts law goes far beyond C-29 by:
- Focusing on prevention rather than just notification. Similar to PCI-DSS (Payment Card Industry Data Security Standard), it obliges organizations to create written policies for protecting consumer data, train employees to follow the rules, deploy encryption for data-in-transit and stored on portable media and create an audit trail for monitoring all access to sensitive data (used to identify insider threats, for example).
- Obliging organizations to report breaches in a more timely manner – “as soon as practicable and without unreasonable delay” – rather than “as soon as feasible” with the Canadian law (the California law states that notification must occur “in the most expedient time possible” and “without unreasonable delay”).
- Applying to state government agencies as well as private sector organizations. In other words, when it comes to data security, the government is held to the same high standards as companies.
A good start but ….
If Canadian companies are left to self-regulate, there's absolutely no incentive to stick their necks out on the line – and risk the financial and reputational backlash associated with data breach disclosures.
Bill C29 is a good start because it institutes mandatory notification for the first time. But it clearly needs more teeth in areas such as financial penalties, timeliness of disclosures, the need for preventive controls – and giving organizations less discretion in deciding when and if disclosure must occur.