Times Colonist

Report: Consumers face data disaster


OTTAWA — Consumers have to contend with “inexcusabl­e” security breaches because many companies ignore some of the most basic steps to protect their personal informatio­n, Canada’s privacy commission­er says in a hard-hitting report released yesterday.

Jennifer Stoddart’s annual report on whether companies are complying with Canada’s Personal Informatio­n Protection and Electronic Documents Act, tabled in Parliament, points to some huge gaps in their legal obligation­s to safeguard the personal data they collect.

“2007 was the year of data privacy disasters, highlighti­ng the need for companies to recognize the value of personal informatio­n and take more care in securing it,” the report states.

Stoddart found that many companies are failing to implement “elementary security measures,” such as using encryption on laptops. As a result, these unprotecte­d or stolen laptops, often containing customer informatio­n, remain a “huge issue” for the private sector.

Last year, nine in 10 people whose data was compromise­d by a self-reported security breach were put at risk because their personal informatio­n was held in an electronic format that was either not secured or lacked adequate protection mechanisms, such as firewalls or encryption, the report found. Other breaches occurred because staff failed to follow company protocols to protect the private informatio­n of their customers.

“I would think with the alarm bells going off about huge data security breaches that most companies would be taking more active steps,” Stoddart said in an interview.

This type of “gambling with personal informatio­n” leaves consumers in a precarious spot, the report states.

“Of course, not all of the data compromise­d in these kinds of breaches winds up in the hands of criminals. However, it is clear crooks have recognized that personal data is a gold mine. Identity theft is rampant — and lucrative.”

Financial institutio­ns reported the largest number of breaches in 2007. Banks also generated the most complaints, making up almost one-third (105 of the 350) of complaints alleging violations of the act. Telecommun­ications, insurance and retail companies also reported breaches and were the target of complaints, although in smaller numbers than in previous years.

Virtually every privacy issue and complaint contained an informatio­n technology component, the report found, singling out its investigat­ion last year of the massive breach at TJX-owned stores, including HomeSense and Winners. The breach involved about 94 million debit and credit numbers worldwide after the company delayed upgrading the company’s outdated computer security system because of costs.

The Office of the Privacy Commission­er has already received more voluntary breach reports in the first five months of this year (21) than it did for all of 2006 (20), but Stoddart is worried the situation is worse than it appears because few small- and medium-sized businesses are reporting breaches.

As a result, she strongly supports a plan by Industry Canada to make it mandatory for companies to report any material data breach to the privacy commission­er.

Newspapers in English

Newspapers from Canada