Proposed Breach Notification Law Falls Short; U.S. Way Ahead of Canada

Today's issue of The Ottawa Citizen reports that proposed Canadian legislation about when customers must be notified of the loss of personal information by firms and institutions will allow the data holders a wide margin of discretion.

The article, entitled Feds to leave disclosure of data security breaches to businesses: legislative plan, is based on a draft bill obtained by the CanWest News Service of which The Citizen is a member:

" 'In the event of a data breach where an organization determines there is a high risk of significant harm to individuals resulting from the breach, the organization is required to notify affected individuals as soon as is reasonably possible after detection of a breach,' the proposal states."

"The document confirms there will no financial penalties if companies break the rules. Comments from invited participants are due Friday (...)"

"Consumer groups say the behind-the-scenes talks, dominated by representatives from the banking, telecommunications, and retail sectors, 'have gone off the rails'."

" 'You could defend yourself, 'I never disclosed the information because we determined ourselves that there was not a high risk of significant harm. It was just a moderate risk of significant harm,' said John Lawford, staff lawyer at the Public Interest Advocacy Centre."

Last May, the Standing Committee of the House of Commons on Access to Information, Privacy and Ethics completed the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). The Committee did not recommend a mandatory breach notification law. Rather, it supported "requiring organizations to notify the Privacy Commissioner of certain defined security breaches, so that her office has an opportunity to assist in the determination of whether affected individuals should be notified, and if so, in what manner. This second stage of the process would be discretionary, in that the Privacy Commissioner would determine on a case by case basis whether or not to recommend notification." [see Recommendations 23-25]

Last fall, Industry Canada announced that it was seeking public input on a number of specific potential amendments to PIPEDA, including what to do about data security breaches. The draft proposal is a result of those consultations.

As a comparison, the legal requirements south of the border impose much more onerous obligations on companies and institutions.

The Congressional Research Service in the United States has compiled a document entitled Information Security and Data Breach Notification Safeguards :

"The following report describes information security and data breach notification requirements included in the Privacy Act, the Federal Information Security Management Act, Office of Management and Budget Guidance, the Veterans Affairs Information Security Act, the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, the Federal Trade Commission Act, and the Fair Credit Reporting Act (...) "

"During the 110th Congress, three data security bills — S. 239 (Feinstein), S. 495 (Leahy), and S. 1178 (Inouye) — were reported favorably out of Senate committees. Those bills include information security and data breach notification requirements. Other data security bills were also introduced, including S. 806 (Pryor), S. 1202 (Sessions), S. 1260 (Carper), S. 1558 (Coleman), H.R. 516 (Davis), H.R. 836 (Smith), H.R. 958 (Rush), H.R. 1307 (Wilson), H.R. 1685 (Price), and H.R. 2124 (Davis)."

Also, at least 39 states and the District of Columbia have enacted legislation requiring notification of security breaches involving personal information.