![]() ![]() ![]() |
![]() |
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() |
|
![]() |
![]() |
|
![]() |
![]() ![]() ![]() ![]() ![]() |
![]() |
Media CentreData gone Missing? What Could-Would-Should You Do About It?Gowling/ITAC Privacy SeminarMay 8, 2007 Address by Patricia Kosseim (CHECK AGAINST DELIVERY) Introductory RemarksFirst, on behalf of the Commissioner, my colleague Ann Goldsmith and I, would like to thank you for the opportunity to speak to you today, and we send the Commissioner’s regrets for not being able to be here in person. She was recently asked to appear before the House of Commons Standing Committee on Access to Information, Privacy and Ethics to speak to Parliamentarians about identity theft – an issue very much related to the topic we were asked to address here today – breach notification. Like the Hockey Canada officials dragged before another Commons committee last week, the Commissioner’s appearance is a command performance. OutlineIn the twenty minutes I have, I would like to:
Scope of the ProblemOne of the main drivers for a duty to notify of security breaches is the growing threat of ID theft and the pervasive toll it takes on victims entangled in its global web. While we know that identity theft is a significant problem in Canada, it is difficult to scope out the true extent of the problem. Not every victim reports the crime and there is no central reporting mechanism to keep track of incidents as they happen. Phonebusters, the Canadian Anti-Fraud Call Centre has reported that, while there appears to have been a decrease in the number of victims from 8204 in 2002, to 7778 in 2006, the extent of monetary loss resulting from ID theft has gone up from $11.8 million to $16.2 million during that same time period. However, even Phonebusters concedes that these figures are not necessarily representative of reality as the number of reported ID thefts that are called into the Centre, capture only a small percentage of actual incidents happening on a daily basis. Whatever may be the exact statistical figures, one thing is certain. The problem has caught our attention. A 2006 survey conducted by Ipsos Reid, determined that seventy-one per cent of Canadian respondents are concerned about the fact that their “identity may be stolen and used for fraudulent means by criminals for financial gain.” While everyone is interested in identity theft, there is no one designated body that has been charged with assessing and addressing the problem in Canada. In the US, on the other hand, President Bush established an identity theft task force a year ago, to marshal US federal government resources to fight the problem. Just last month, the Task Force tabled a coordinated Strategic Plan to tackle the problem head on with law enforcement measures, prevention mechanisms, education efforts and victim recovery support. The causal link between ID theft and breach notification is not clear-cut. Notification of breach is intended as an immediate response to mitigate against the risk of ID theft. However, it is not always known whether: 1) the security breach was carried out purposely with a view to stealing individuals’ personal information; 2) the security breach happened accidentally and as an unintended consequence the personal information lost could find its way onto the black-market and into the hands of identity thieves; or, 3) the mere fact of publicly announcing the breach can itself put thieves on notice of the value of the data gone missing and set them conveniently onto the scent of a potentially lucrative venture. Security breaches are not happy events in the lives of corporate management. Many of you have read about these unfortunate incidents in newspaper accounts over recent months, but let me just refresh your memory about some of the recent breaches in Canada’s private sector that rang in the New Year:
PIPEDA Review: The Consultation ProcessAs many of you may know, Parliament began its mandatory five-year review of PIPEDA several months ago. In preparation for that review, the Office of the Privacy Commissioner of Canada released a discussion document last June identifying a number of aspects of PIPEDA that Parliament might consider during its review. We were pleased to receive 63 submissions in reply to the discussion document. Among those submissions, there was no consensus about whether there should be a legislative requirement to notify of breaches, and if so, in what cases and how notification should be required. Some of the submissions called for heavy fines or penalties for failure to notify of breach. One consumer advocacy organization argued that PIPEDAshould permit civil actions for a failure to notify. As you can see, there was considerable variation in the views expressed by interested stakeholders during our consultation process. Equipped with these views, the Commissioner appeared before the Standing Committee on Access to Information, Privacy and Ethics in late November of last year and again last February. The Commissioner called for urgent measures to resolve the data breach notification issue. The Commissioner was particularly concerned with how such breaches would facilitate identity theft, pretexting and the illegal trade in personal data. She noted the potential value of breach notification in providing individuals with an early warning system to make them better prepared to deal with the risk of identity theft and other harms that might result from a breach. At the same time, the Commissioner recognized the difficulty of simply incorporating a duty to notify into the current PIPEDA model, since there is no straightforward way of penalizing organizations for failure to do so. PIPEDA establishes the Privacy Commissioner as an ombudsman, and does not afford her with direct powers of enforcement like those of her Ontario, Alberta and BC counterparts. While the Commissioner recognized that determining the appropriate enforcement model would require additional time and consultation, she strongly encouraged the Committee to recommend amending the Act to include a breach notification provision. The Commissioner was not alone in this recommendation. Many other witnesses likewise called for a new provision to be added, though the specific modalities varied from one proposal to the next. PIPEDA Review: The Committee ReportOn May 2, the House of Commons Standing Committee on Access to Information, Privacy and Ethics released its report on PIPEDA review. On the issue of breach notification, the Committee recommended:
Depending on the threshold that is ultimately chosen for requiring organizations to report breaches to the Commissioner, we wonder whether shifting the responsibility on our Office (as the middleman) to assess and determine whether individuals should be notified in each reported instance might create an unworkable burden on our Office, with significant resource and capacity implications. The Department of Industry has 120 days to respond to the Committee report. And, as you all know, if an election is called, nothing will come of the Committee report in any event. Proposed Guidelines in the InterimRecognizing the length of time it might take to amend PIPEDA to include an express breach notification requirement, the Commissioner was already, at the time of her Committee appearance in February, exploring the idea of developing interim guidelines at the federal level, along the lines of what has already been introduced provincially in British Columbia and Alberta. Ontario too has guidelines of course, though they differ somewhat given the fact that Ontario is currently the only jurisdiction in Canada with an express, legislated requirement for mandatory breach notification in its Personal Health Information Protection Act. An initial draft of breach notification guidelines at the federal level was prepared by a group of private sector organizations. In mid-April, our Office held a consultation session to discuss these draft guidelines among a broader group of stakeholders, including about 15 representatives from the private sector, as well as representatives from the Alberta, British Columbia, and Ontario Commissioner’s offices, and a number of representatives from public-interest advocacy groups.
In the interest of time, I will elaborate only on the third key step – that of notification. On the question of whether to notify, the guidelines do not recommend notification in every circumstance. They suggest that the key considerations in deciding to notify should be whether notification is necessary to help avoid or mitigate harm to an individual whose personal information has been lost or inappropriately accessed. As for when, notification should occur as soon as reasonably possible following assessment and evaluation of the breach. However, if law enforcement authorities are involved, notification may need to be delayed to avoid compromising an ongoing investigation. As for how to notify, the draft guidelines suggest that the preferred method of notification is directly to the affected individuals – by phone, by letter, by e-mail or in person. Indirect notification – for example website information, posted notices and announcements to the media – should generally occur only where direct notification could cause further harm, is prohibitively costly or if current contact information for the affected individuals is not known. As for who should notify, the draft guidelines suggest that, generally speaking, the accountable organization – the organization that owns the data – should carry out the notification, even if the breach occurs at a third-party service provider who has been contracted to maintain or process the personal information. The guidelines go on as well to recommend what content should be included in a notification, as well as what authorities or organizations should be contacted, such as, police, insurers, professional or regulatory bodies, credit card companies, financial institutions or credit reporting agencies, and the relevant Privacy Commissioner’s office, as appropriate in the circumstances. Unfortunately, some of the civil society groups that had been part of the stakeholder consultation pulled out of the process on the grounds that the initial discussion draft, prepared by industry was inherently biased towards a pro-business approach. They were also of the view that there should be a legislative requirement to notify individuals, with which we agree. Though we hoped they would continue to participate in the development of guidelines until such time as legislation might be in place, we certainly appreciate and respect their views. Even if the Committee’s recommendations relating to breach notification are enacted into law, it will not happen overnight. In the interim, we are continuing to work with stakeholders to develop and adopt these notification guidelines until such time as legislation can be introduced. We hope to have the guidelines available on our website by June. Other Committee Recommendations of Interest to the Business CommunityOther than the Committee’s recommendations on breach notification, I will – in the brief time I have left- highlight for you some of the other major recommendations relevant to the business community.
Overall, we have been very pleased with the review process. The fact that PIPEDA contains a mandatory legislative review clause gives us all a timely opportunity to reflect upon how well PIPEDA is working or not working in the private sector after its first five years of existence. It has given relevant stakeholders a chance to express and hear different perspectives on how the Act might be improved to meet emerging challenges. We look forward to government’s response to the Committee’s recommendations and to working with Industry Canada in its review process. |
![]() |
||||
Date published: 2007-07-09 |
![]() |
Important Notices |