Wednesday, January 10, 2007

Paper on Data Security Breach Notification

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa released a white paper yesterday that calls on the federal government to enact a data security breach notification law.

Such a law would require organizations, government agencies and businesses to notify individuals when their personal information is exposed to potential theft and misuse due to a computer security breach.

Such a law was proposed by a number of groups that appeared in 2006 in front of the House of Commons Standing Committee on Access to Information, Ethics and Privacy during the statutory review of PIPEDA (Personal Information Protection and Electronic Documents Act).

From the introduction of the CIPPIC White Paper:

"In 2005, Phonebusters, a Canadian organization which studies and reports on identity theft, collects data, educates the public and assists Canadian and U.S. law enforcement agencies in consumer fraud cases, received over 12,000 complaints from victims of identity theft. The associated losses were an estimated $8.6 million. By October 2006, Phonebusters had received fewer complaints than in the previous year, but total losses had risen to almost $15 million".

"In the U.S., identity theft has topped the Federal Trade Commission’s (FTC) list of consumer complaints for years... In 2005, losses to victims and businesses were an estimated $56.6 billion".


"Recognizing that individuals need to know when their personal information has been put at risk in order to mitigate potential identity fraud damages, most states in the U.S. now have laws requiring that organizations notify affected individuals when a security breach exposes their personal information to unauthorized access. In contrast, neither the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) nor corresponding provincial statutes include an explicit security breach notification requirement".

"This White Paper considers the need for an explicit obligation in Canadian privacy law to notify affected individuals of a breach in an organization’s security that places those individuals’ personal information at risk. The Paper begins its analysis with a review of the existing Canadian legislative framework relating to security breach notification. It then analyzes security breach legislation in the United States, where over half the states have enacted a mandatory security breach disclosure requirement and where several federal bills are currently pending. The Paper then considers justifications for, and objections to, such legislation, before concluding with a series of recommendations for enacting an effective statutory obligation of security breach notification in Canada".

In the United States, the National Conference of State Legislatures has compiled a collection of state Breach of Information Legislation. The U.S. Consumers Union has published resources as part of its Financial Privacy Now campaign. And the NGO U.S. PIRG has also put together many resources about identity theft protection, including a Summary of State Security Freeze and Security Breach Notification Laws .

For a critical overview of what is being done south of the border, I can suggest the article Industry, Government Fret Over Tactics for Fighting Data Theft (National Law Journal), published on the website

Labels: , ,

Bookmark and Share Subscribe
posted by Michel-Adrien at 6:26 pm


Post a Comment

<< Home