Page 37 - CCCA63_2008
P. 37
CCCA_V2No3_Col-CorpLaw-FIN.qxd:CCCA_V1No2_Col-CorpLaw-V1.qxd 9/17/08 5:06 PM Page 45 Corporate Law Privacy, please! Serious privacy lapses signal need for data breach notification law. he need for mandatory data breach noti- that requires organizations to report or to consider that there is a substantial risk of Tfication legislation in Canada has never notify individuals when a data breach significant harm to those individuals affect- been more pressing, given several notorious occurs. Under the Personal Health Infor- ed by the breach. Notification would be privacy lapses in Canada and the United mation Act (PHIA), health information cus- required as soon as possible after the detec- States in recent years, a sharp increase in the todians must notify an individual, at the tion, confirmation and assessment of the incidence of identity theft and suspected first reasonable opportunity, if his or her scope and extent of the breach. Thereafter, credit card fraud, and mounting pressure personal health information is stolen, lost businesses would also need to report any from privacy advocates. Consider: or accessed by others. material breach to OPC as soon as reason- • A rampant privacy breach at Passport In addition to the notification require- ably possible. Canada late last year permitted easy ments under PHIA, U.S. federal and state Note that the organization with control online access to the personal information notification requirements may apply to of the information would be responsible for of passport applicants (including dates of Canadian companies and other organiza- determining whether affected individuals birth and social insurance and driver’s tions that collect personal information need be notified of the breach and a report license numbers). about U.S. citizens and/or residents. made to OPC. The model calls for notifica- • In July 2008, word came that several tion (where necessary) in a clear and con- Canadian financial institutions had Proposed model spicuous manner, using a direct means of uncovered “isolated fraud patterns” Canada’s Personal Information Protection communication and including sufficient apparently stemming from passengers’ and Electronic Documents Act (PIPEDA), information for a person to understand the use of credit cards (among other types of which has been in force since 2001, sets out significance of the breach and to take steps personal information) at self-service how all businesses in Canada may collect, to mitigate any resulting harm. check-in kiosks at Toronto’s Pearson use or disclose information about individu- Airport. The volume of personal data at als in the course of their business activities. Data breach protocol stake is staggering: 31.5 million passen- In October 2007, the federal government As part of a breach avoidance policy, organ- gers travelled through Pearson in 2007. announced its intention to amend PIPEDA izations should only collect personal infor- to require reporting and notification of data mation that they consider absolutely essen- Consequences of data breaches breaches involving personal information. tial and then destroy such information In addition to direct financial costs, the In June 2008, the federal government securely when it is no longer needed. potential corporate fallout from data breach- released a proposed model that incorporat- Regardless of the lack of a Canadian data es may include litigation exposure, reputa- ed refinements to (and clarification of) an breach notification law (outside of PHIA), tional damage, negative publicity, decreased earlier model that had been based on all Canadian organizations should adopt a productivity, loss of business opportunities, Industry Canada’s ongoing dialogue with data breach protocol as part of their overall customer turnover, and sanctions and/or various stakeholders. The current model privacy and security policies and proce- penalties where the breach results from a fail- defines a data breach as “an incident involv- dures. Such a protocol would ensure a level ure to comply with statutory requirements. ing loss of, unauthorized access to, or dis- playing field for all organizations and con- The repercussions for individuals whose closure of, personal information as a result sistent treatment for individuals whose per- personal information has been breached are of a breach of an organization’s security sonal information has been breached. It no less significant: they may experience iden- safeguards pursuant to Principle 7 of would also inspire public confidence and tity theft, credit and employment issues, Schedule 1 of PIPEDA.” trust in organizations. financial loss, physical harm, harassment, This model would require businesses humiliation, embarrassment, stress and stigma. that collect personal information about Jennifer Dolman is a partner in Osler, Hoskin individuals to notify them (and, potentially, & Harcourt LLP's Toronto office. She has a Notification requirements other organizations) of a data breach broad commercial litigation practice and advises Ontario is the only Canadian jurisdiction where, in the circumstances, it is reasonable on privacy issues (jdolman@osler.com). AUTOMNE 2008 CCCA Canadian Corporate Counsel Association 45
