Report: Consumers face data disaster
OTTAWA — Consumers have to contend with “inexcusable” security breaches because many companies ignore some of the most basic steps to protect their personal information, Canada’s privacy commissioner says in a hard-hitting report released yesterday.
Jennifer Stoddart’s annual report on whether companies are complying with Canada’s Personal Information Protection and Electronic Documents Act, tabled in Parliament, points to some huge gaps in their legal obligations to safeguard the personal data they collect.
“2007 was the year of data privacy disasters, highlighting the need for companies to recognize the value of personal information and take more care in securing it,” the report states.
Stoddart found that many companies are failing to implement “elementary security measures,” such as using encryption on laptops. As a result, these unprotected or stolen laptops, often containing customer information, remain a “huge issue” for the private sector.
Last year, nine in 10 people whose data was compromised by a self-reported security breach were put at risk because their personal information was held in an electronic format that was either not secured or lacked adequate protection mechanisms, such as firewalls or encryption, the report found. Other breaches occurred because staff failed to follow company protocols to protect the private information of their customers.
“I would think with the alarm bells going off about huge data security breaches that most companies would be taking more active steps,” Stoddart said in an interview.
This type of “gambling with personal information” leaves consumers in a precarious spot, the report states.
“Of course, not all of the data compromised in these kinds of breaches winds up in the hands of criminals. However, it is clear crooks have recognized that personal data is a gold mine. Identity theft is rampant — and lucrative.”
Financial institutions reported the largest number of breaches in 2007. Banks also generated the most complaints, making up almost one-third (105 of the 350) of complaints alleging violations of the act. Telecommunications, insurance and retail companies also reported breaches and were the target of complaints, although in smaller numbers than in previous years.
Virtually every privacy issue and complaint contained an information technology component, the report found, singling out its investigation last year of the massive breach at TJX-owned stores, including HomeSense and Winners. The breach involved about 94 million debit and credit numbers worldwide after the company delayed upgrading the company’s outdated computer security system because of costs.
The Office of the Privacy Commissioner has already received more voluntary breach reports in the first five months of this year (21) than it did for all of 2006 (20), but Stoddart is worried the situation is worse than it appears because few small- and medium-sized businesses are reporting breaches.
As a result, she strongly supports a plan by Industry Canada to make it mandatory for companies to report any material data breach to the privacy commissioner.