National Post (National Edition)
Public advocacy centre skeptical of data breach reporting rules
Says too much discretion for companies
OTTAWA • Companies would be required to notify people of a serious data breach involving personal information under proposed new federal regulations.
But the regulations are intended to provide “maximum flexibility” to an organization that loses data, says a government notice accompanying the planned measures.
One prominent public advocacy organization voiced skepticism Tuesday about how effective the new rules will be.
Several businesses — including telecom provider Bell Canada, retailer Target and affair-seekers website Ashley Madison — have been stung by breaches in recent years.
The loss of data can be embarrassing for an organization and often causes headaches for customers whose personal or financial details are suddenly swirling in cyberspace.
Legislation passed two years ago laid the groundwork for mandatory reporting of private-sector breaches that pose a “real risk of significant harm” to individuals. The newly published regulations, drafted with the help of public feedback, would flesh out the legislation.
“A key theme of the responses was the need for flexibility to allow organizations to implement requirements in a manner that fits their particular circumstances,” the federal notice says.
“The majority of business representatives were against overly prescriptive regulations and expressed the desire to make use of existing practices to meet their new obligations to the extent possible.”
In the likelihood of “significant harm,” organizations would be obliged to inform affected people as well as the federal privacy commissioner, whose office would determine whether appropriate actions were indeed being taken.
In addition, organizations that experienced a breach would have to keep a record of the incident and make these records available to the privacy commissioner upon request.
The proposed rules don’t go far enough because they give companies discretion as to whether an incident is sufficiently serious to report, said John Lawford, executive director and general counsel of the Ottawabased Public Interest Advocacy Centre.
A risk-averse company might come clean about a breach, but others may be tempted to keep a lapse under wraps, Lawford said Tuesday.
“I think it’s just a terrible solution, and I think we’re going to have fewer data breaches reported rather than more.”
The regulations say a breach report to individuals must include a description of the lapse, when it happened, the information involved, steps taken to reduce harm to people, information as to what the individual can do, a toll-free number or email address for providing additional details to the public, and information on how to complain to the organization and the privacy czar.
However, a company may provide only indirect notification to affected people — through a website posting or an advertisement — in the event that:
providing direct notification would cause further harm — for instance, if it would inform family members of the person’s purchase of a confidential product or service;
the cost of direct notification would be prohibitive; or
the organization lacks contact information for those affected, or the information it has is outdated.
The privacy commissioner’s office, which has strongly supported the move to mandatory reporting, said Tuesday it was reviewing the regulations and therefore could not yet comment.
The public has until early next month to provide feedback on the draft regulations.