Privacy breaches show need for reform
Some departments in Ottawa suffer breaches nearly every 48 hours
As Canadians focused last week on the aftermath of the Boston Marathon bombing and the RCMP arrests of two men accused of plotting to attack VIA Rail, the largest sustained series of privacy breaches in Canadian history was uncovered but attracted only limited attention.
Canadians have faced high-profile data breaches in the past — Winners/HomeSense and the CIBC were both at the centre of serious breaches several years ago — but the federal government revealed last week that it may represent the biggest risk to the privacy of millions of Canadians: some government departments suffer breaches virtually every 48 hours.
The revelations came as a result of questions from NDP MP Charlie Angus, who sought information on breaches of data, information or privacy in all government departments from 2002 to 2012. The resulting documentation is stunning in its breadth.
Virtually every major government department has sustained breaches, with most occurring over the past five years (many departments did not retain records dating back to 2002).
In numerous instances, the Priva- cy Commissioner of Canada was not advised of the breach.
Some of the most vulnerable departments are those that host the most sensitive information. For example, Citizenship and Immigration Canada suffered 161 breaches in 2012 — more than three per week — affecting hundreds of people.
On only five occasions did the department disclose the breaches to the Privacy Commissioner of Canada.
Human Resources and Skills Development Canada famously suffered a massive breach last year — 588,384 individuals have been affected — but less well known is that the department has had thousands of other breaches over the past few years.
In 2007, a breach affected 28,651 people, yet the Privacy Commissioner of Canada was not informed and the department is unsure whether the breach resulted in criminal activity.
Virtually no department has been immune to security breaches. Nearly 100,000 individuals have been affected by breaches at Agriculture and Agri-Food Canada since 2008. Almost 5,000 individuals were hit at Fisheries Canada with no reporting to the Privacy Commissioner, and just under 200 breaches at the RCMP affected an unknown number of people. If a similar situation occurred involving a major Canadian bank, retailer or telecom company, there would be an immediate outcry for tougher rules on mandatory disclosure of security breaches. Yet the federal government plays by different rules, with no liability and no legal requirements to disclose the breaches. Successive federal privacy commissioners have urged the government to reform the badly outdated Privacy Act to at least hold government to the same privacy standard that it expects from the private sector. But those calls for reform have been repeatedly ignored. Most recently, Jennifer Stoddart, the current privacy commissioner, identified 12 seemingly uncontroversial reforms. These included strengthening annual reporting requirements by government departments, introducing a provision for proper security safeguards for the protection of personal information, and creating legislat- ed security breach notification requirements.
None of the recommendations have been implemented.
In fact, Canadian privacy failures dot the legislative landscape.
Bill C-12, the Canadian private sector privacy bill intended to implement reforms that date back to hearings conducted in 2006, lies dormant in the House of Commons.
A review of the private sector privacy law that was required by law in 2011 has seemingly been forgotten.
Antispam legislation passed in 2010 and touted as a key part of the government’s cybercrime strategy is stuck as Industry Minister Christian Paradis dithers on the applicable regulations.
No institution has greater access to Canadians’ personal information than the federal government. The public entrusts it to keep their information secure and to take all appropriate actions should a security breach occur.
The latest revelations indicate that the failure to live up to that trust is spread across virtually all government departments and to the political leaders that have failed to introduce much-needed legislative privacy safeguards. Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at www.michaelgeist.ca.