Media Centre

Data gone Missing? What Could-Would-Should You Do About It?

Gowling/ITAC Privacy Seminar

May 8, 2007
Toronto, Ontario

Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada

(CHECK AGAINST DELIVERY)

Introductory Remarks

First, on behalf of the Commissioner, my colleague Ann Goldsmith and I, would like to thank you for the opportunity to speak to you today, and we send the Commissioner’s regrets for not being able to be here in person.  She was recently asked to appear before the House of Commons Standing Committee on Access to Information, Privacy and Ethics to speak to Parliamentarians about identity theft – an issue very much related to the topic we were asked to address here today – breach notification.  Like the Hockey Canada officials dragged before another Commons committee last week, the Commissioner’s appearance is a command performance. 

Outline

In the twenty minutes I have, I would like to:

• first, describe the scope of ID theft as a problem in Canada today, to the extent we can define it, and its link to breach notification;
• second, summarize the various viewpoints expressed by different stakeholders on how the duty to notify should be dealt with in the context of PIPEDA review;
• third, describe the position taken by the Parliamentary Committee that was charged with making recommendations for PIPEDA review and issued its final report just last week;
• fourth, describe the initiative that is currently underway to develop guidelines as an interim solution, as we await a legislative response at the federal level; and,
• finally, briefly highlight some of the other recommendations in the Parliamentary Committee report.

Scope of the Problem

One of the main drivers for a duty to notify of security breaches is the growing threat of ID theft and the pervasive toll it takes on victims entangled in its global web.  While we know that identity theft is a significant problem in Canada, it is difficult to scope out the true extent of the problem.  Not every victim reports the crime and there is no central reporting mechanism to keep track of incidents as they happen.  Phonebusters, the Canadian Anti-Fraud Call Centre has reported that, while there appears to have been a decrease in the number of victims from 8204 in 2002, to 7778 in 2006, the extent of monetary loss resulting from ID theft has gone up from $11.8 million to $16.2 million during that same time period.  However, even Phonebusters concedes that these figures are not necessarily representative of reality as the number of reported ID thefts that are called into the Centre, capture only a small percentage of actual incidents happening on a daily basis. 

Whatever may be the exact statistical figures, one thing is certain.  The problem has caught our attention. A 2006 survey conducted by Ipsos Reid, determined that seventy-one per cent of Canadian respondents are concerned about the fact that their “identity may be stolen and used for fraudulent means by criminals for financial gain.”

While everyone is interested in identity theft, there is no one designated body that has been charged with assessing and addressing the problem in Canada.  In the US, on the other hand, President Bush established an identity theft task force a year ago, to marshal US federal government resources to fight the problem.  Just last month, the Task Force tabled a coordinated Strategic Plan to tackle the problem head on with law enforcement measures, prevention mechanisms, education efforts and victim recovery support.  

The causal link between ID theft and breach notification is not clear-cut.  Notification of breach is intended as an immediate response to mitigate against the risk of ID theft.  However, it is not always known whether: 1) the security breach was carried out purposely with a view to stealing individuals’ personal information; 2) the security breach happened accidentally and as an unintended consequence the personal information lost could find its way onto the black-market and into the hands of identity thieves; or, 3) the mere fact of publicly announcing the breach can itself put thieves on notice of the value of the data gone missing and set them conveniently onto the scent of a potentially lucrative venture. 

Security breaches are not happy events in the lives of corporate management.  Many of you have read about these unfortunate incidents in newspaper accounts over recent months, but let me just refresh your memory about some of the recent breaches in Canada’s private sector that rang in the New Year:

• In Gatineau, Quebec, thieves reportedly stole money from the bank accounts of at least 350 shoppers, and may have stolen banking information of up to 1,600 people by using tampered debit card readers.  A police spokesman suggested that several organized groups of criminals were modifying debit card readers to enable them to get the information they need to clone cards. 
• A hard drive containing the personal information of almost half a million clients of Talvest Mutual Funds, a subsidiary of CIBC, went missing.  The bank notified our Office of this incident. The Commissioner has launched an investigation into this security breach using her powers under PIPEDA.
• At about the same time, we learned that Canadians had been affected when customer data of the American retailer TJX Cos., whose chains include Winners and HomeSense, was stolen by a hacker who repeatedly broke into its network.  Some estimate that from one to two million Canadian credit cards issued by banks and other institutions could have been left vulnerable by the breach. Our Office is now investigating this incident along with the Alberta Information and Privacy Commissioner. 
• Several days ago, a Winnipeg newspaper reported that hundreds of documents containing personal information about the customers of a local insurance company were found in a dumpster.  The newspaper reported that, as a result of this, the insurance company could face suspension as a Manitoba Public Insurance broker. 

PIPEDA Review: The Consultation Process

As many of you may know, Parliament began its mandatory five-year review of PIPEDA several months ago.  In preparation for that review, the Office of the Privacy Commissioner of Canada released a discussion document last June identifying a number of aspects of PIPEDA that Parliament might consider during its review.

We were pleased to receive 63 submissions in reply to the discussion document. Among those submissions, there was no consensus about whether there should be a legislative requirement to notify of breaches, and if so, in what cases and how notification should be required.

Some of the submissions called for heavy fines or penalties for failure to notify of breach.  One consumer advocacy organization argued that PIPEDAshould permit civil actions for a failure to notify.

As you can see, there was considerable variation in the views expressed by interested stakeholders during our consultation process.  Equipped with these views, the Commissioner appeared before the Standing Committee on Access to Information, Privacy and Ethics in late November of last year and again last February.

The Commissioner called for urgent measures to resolve the data breach notification issue. The Commissioner was particularly concerned with how such breaches would facilitate identity theft, pretexting and the illegal trade in personal data.

She noted the potential value of breach notification in providing individuals with an early warning system to make them better prepared to deal with the risk of identity theft and other harms that might result from a breach.  At the same time, the Commissioner recognized the difficulty of simply incorporating a duty to notify into the current PIPEDA model, since there is no straightforward way of penalizing organizations for failure to do so.  PIPEDA establishes the Privacy Commissioner as an ombudsman, and does not afford her with direct powers of enforcement like those of her Ontario, Alberta and BC counterparts. 

While the Commissioner recognized that determining the appropriate enforcement model would require additional time and consultation, she strongly encouraged the Committee to recommend amending the Act to include a breach notification provision. The Commissioner was not alone in this recommendation.  Many other witnesses likewise called for a new provision to be added, though the specific modalities varied from one proposal to the next. 

PIPEDA Review: The Committee Report

On May 2, the House of Commons Standing Committee on Access to Information, Privacy and Ethics released its report on PIPEDA review. On the issue of breach notification, the Committee recommended:

• First, that PIPEDA be amended to include a breach notification provision requiring organizations to report certain breaches of their personal information holdings to the Privacy Commissioner.
• Second, that upon being notified of a breach, the Privacy Commissioner would make a determination as to whether affected individuals and others should be notified.
• Third, that in determining the specifics of an appropriate notification model for PIPEDA, consideration be given to questions of timing, manner of notification, penalties for failure to notify, and the power to notify credit bureaus without consent in order to help protect consumers from identity theft and fraud.

Depending on the threshold that is ultimately chosen for requiring organizations to report breaches to the Commissioner, we wonder whether shifting the responsibility on our Office (as the middleman) to assess and determine whether individuals should be notified in each reported instance might create an unworkable burden on our Office, with significant resource and capacity implications.

The Department of Industry has 120 days to respond to the Committee report.  And, as you all know, if an election is called, nothing will come of the Committee report in any event.

Proposed Guidelines in the Interim

Recognizing the length of time it might take to amend PIPEDA to include an express breach notification requirement, the Commissioner was already, at the time of her Committee appearance in February, exploring the idea of developing interim guidelines at the federal level, along the lines of what has already been introduced provincially in British Columbia and Alberta.  Ontario too has guidelines of course, though they differ somewhat given the fact that Ontario is currently the only jurisdiction in Canada with an express, legislated requirement for mandatory breach notification in its Personal Health Information Protection Act. 

An initial draft of breach notification guidelines at the federal level was prepared by a group of private sector organizations.  In mid-April, our Office held a consultation session to discuss these draft guidelines among a broader group of stakeholders, including about 15 representatives from the private sector, as well as representatives from the Alberta, British Columbia, and Ontario Commissioner’s offices, and a number of representatives from public-interest advocacy groups.
The draft guidelines, closely resembling the BC and Alberta models, identify four key steps when responding to a breach or suspected breach:

• Breach containment
• Risk Evaluation
• Notification, and
• Prevention.

In the interest of time, I will elaborate only on the third key step – that of notification.

On the question of whether to notify, the guidelines do not recommend notification in every circumstance.  They suggest that the key considerations in deciding to notify should be whether notification is necessary to help avoid or mitigate harm to an individual whose personal information has been lost or inappropriately accessed.

As for when, notification should occur as soon as reasonably possible following assessment and evaluation of the breach.  However, if law enforcement authorities are involved, notification may need to be delayed to avoid compromising an ongoing investigation. 

As for how to notify, the draft guidelines suggest that the preferred method of notification is directly to the affected individuals – by phone, by letter, by e-mail or in person.  Indirect notification – for example website information, posted notices and announcements to the media – should generally occur only where direct notification could cause further harm, is prohibitively costly or if current contact information for the affected individuals is not known.

As for who should notify, the draft guidelines suggest that, generally speaking, the accountable organization – the organization that owns the data – should carry out the notification, even if the breach occurs at a third-party service provider who has been contracted to maintain or process the personal information.

The guidelines go on as well to recommend what content should be included in a notification, as well as what authorities or organizations should be contacted, such as, police, insurers, professional or regulatory bodies, credit card companies, financial institutions or credit reporting agencies, and the relevant Privacy Commissioner’s office, as appropriate in the circumstances.

Unfortunately, some of the civil society groups that had been part of the stakeholder consultation pulled out of the process on the grounds that the initial discussion draft, prepared by industry was inherently biased towards a pro-business approach.  They were also of the view that there should be a legislative requirement to notify individuals, with which we agree.  Though we hoped they would continue to participate in the development of guidelines until such time as legislation might be in place, we certainly appreciate and respect their views.   

Even if the Committee’s recommendations relating to breach notification are enacted into law, it will not happen overnight.  In the interim, we are continuing to work with stakeholders to develop and adopt these notification guidelines until such time as legislation can be introduced.  We hope to have the guidelines available on our website by June. 

Other Committee Recommendations of Interest to the Business Community

Other than the Committee’s recommendations on breach notification, I will – in the brief time I have left- highlight for you some of the other major recommendations relevant to the business community.

• The Committee recommended the Privacy Commissioner’s ombuds powers not be changed at this time. 
• It also recommended that no amendment be made to the Privacy Commissioner’s discretionary power to publicly name organizations in the public interest. 
• The Committee recommended amending PIPEDA to include a provision permitting organizations to collect, use and disclose personal information to prospective purchasers or business partners without consent, in the context of mergers or acquisitions.
• On the issue of trans-border data flows, the Committee recommended no change to PIPEDA. 
• However, it did recommend that the Privacy Commissioner be granted the authority to share information and cooperate in investigations of mutual interest with provincial counterparts that do not have substantially similar private sector legislation, as well as international data protection authorities provided the information remains adequately protected from disclosure to a foreign court or other government authority for purposes other than investigation of the transborder data flow at issue.
• The Committee also acknowledged the difficulty of trying to transpose the consent model designed primarily for a commercial context to the employment context.  The Committee recommended that the Quebec, Alberta and BC private sector laws be considered as possible models for amending PIPEDA to address employer-employee issues.
• The Committee recommended PIPEDA include a definition of work product that expressly recognizes it as not constituting personal information for the purposes of the Act.
• The Committee also agreed that the business contact exception to the definition of personal information should be expanded to include other means of contacting persons for business reasons, such as fax numbers and email addresses.
• The Committee recommended eliminating the regulatory process of determining investigative body status that currently exists under PIPEDA and replacing it with a definition of investigation similar to that in Alberta and BC.
• The Committee recommended an expedited application process to Federal Court for reviewing organizations’ claims of solicitor-client privileged documents.  The extent of the Commissioner’s authority to review documents which organizations claim are exempted from PIPEDA on grounds of solicitor-client privilege is currently before the Supreme Court of Canada in The Privacy Commissioner and Blood Tribe Department of Health.
• The Committee recommended the addition other individual, family or public interest exemptions in order to harmonize with Alberta, Quebec and BC approaches, as a way of dealing with exceptional situations, such as, access to dental records for post-mortem identification, and disclosures to relevant persons to protect against elder abuse.

Overall, we have been very pleased with the review process.  The fact that PIPEDA contains a mandatory legislative review clause gives us all a timely opportunity to reflect upon how well PIPEDA is working or not working in the private sector after its first five years of existence.  It has given relevant stakeholders a chance to express and hear different perspectives on how the Act might be improved to meet emerging challenges.  We look forward to government’s response to the Committee’s recommendations and to working with Industry Canada in its review process.