NDP MP Charmaine Borg introduced bill C-475 an act to amend the Personal Information Protection and Electronic Documents Act, which would add mandatory security breach disclosure requirements to the law along with new order-making power.
In the case of a data breach, the privacy commissioner would have to be notified and the commissioner would then be required to assess the risk and issue an order to remedy the problem. Any organization that fails to comply with an order may be subject to a single monetary penalty of up to $500,000 or punitive damages imposed by the court.
And while University of Ottawa law professor Michael Geist noted in his blog last week that it is a “far better proposal” than the government’s current privacy reform bill, which has been around for about two years, others suggest there are already measures that address what is being proposed.
The bill states: “The factors in determining whether a loss or disclosure of, or unauthorized access to, personal information would be considered by a reasonable person as creating a risk of harm should be a) the sensitivity of the personal information and b) the number of individuals whose personal information was involved.
“If the Commissioner determines that the loss or disclosure of, or unauthorized access to, personal information is likely to result in an appreciable risk of harm to the affected individuals, the Commissioner shall, as soon as feasible, order the organization to notify the affected individuals without unreasonable delay.”
Breach disclosure laws have been in place in the United States for many years, but Mark Hayes, of Heydary Hayes PC, says there have been problems with the way breach disclosure has been handled in the U.S. In the early days there was a knee-jerk reaction to what had happened.
Hayes says what the NDP bill is proposing is not that dissimilar to what already happens in Canada the event of a breach.
“Anything that has a compulsory notice to individuals in certain circumstances is problematic,” says Hayes, noting all privacy breaches are contextual and many are not necessarily privacy breaches but “potential” breaches.
If someone loses a thumb drive or a hard drive, it could be sitting in a briefcase in a storage room or the bottom of a landfill.
“The problem has always been with breach notification is that there is a real risk of over-notification,” he says.
In some U.S. jurisdictions, there is an obligation to notify individuals whenever there is a breach or possibility of a breach and the result has been two-fold: hundreds of thousands of notices to people in no danger of a privacy breach when the danger is at best minimal or non-existence and notice fatigue can also occur.
“If you’ve had three notices from organizations in the past year saying there’s been a potential breach of your personal information and absolutely nothing happens, when you get the fourth one you just throw it in the garbage because you’ve decided it’s meaningless,” says Hayes.
The proposed amendments to PIPEDA would require companies to notify the commissioner in certain circumstances and then the commissioner decides and makes recommendations as to what it thinks should be done.
“This happens now all the time because the first thing you do when there’s a privacy breach, if you’re well advised, is send a notice to the commissioner and explain what’s happened,” says Hayes.
Where it’s a serious breach the privacy commissioner works with the organization to determine the most sensible approach.
“That’s a great insulator for organizations to say, ‘We did the due diligence.’ The problem when you try and hard code those requirements into a statute is you just can’t anticipate what all the circumstances [will be]. I think the consensus has been to leave it pretty vague but let the organizations and commissioner figure out the solution,” he says.
Hayes maintains there is a difference between a breach occurring and there being any fault of the organization and any actual harm done.
“If you look at most of the situations where the have been privacy breaches they tend to be a situation where something unforeseen has happened or there is some kind of outside hack. If a company has been negligent, that’s one thing. But if they have state-of-the-art security and someone hacks in despite that, it’s pretty difficult to say imposing a large penalty is going to make things better because they already did everything they could do,” says Hayes.
Hayes referenced a client that had finished running an online contest and the contest ended up being far more popular than they thought. During a brief period when the server became overwhelmed, it resulted in a small number of people involved seeing the names and addresses of some others who had entered the contest.
“It was a small pool of people involved and small potential for harm and the chance someone could do something with the information was small. Yet if you have compulsory notification that’s a clear example of over-reporting,” he says.