Force companies to tell clients about breaches, watchdog urges,
Require users to be given details of incidents, privacy czar urges
Companies and organizations should be required to directly notify individuals affected by breaches of their data security systems, the federal privacy watchdog says.
In its submission to the federal government, the office of Canada’s privacy commissioner, Daniel Therrien, says customers and others should be notified via telephone calls, emails or letters that detail the nature and date or estimated period of the lapse, along with steps taken to limit the damage.
The notice should describe the personal information exposed, steps those affected can take and the contact information of someone at the company who can answer questions.
The commission’s submission is part of a public consultation aimed at determining what companies and other private organizations must do in the event of a breach of customer data.
Several high-profile security lapses have spread across borders including the hack of personal data of users of dating websites, including Ashley Madison, that are owned by Toronto-based Avid Life Media, now known as Ruby Corp.
A massive breach of customer information of U.S.-based retailer Target in late 2013 prompted a warning that its Canadian customers’ personal information may have been exposed.
In addition, the privacy commissioner’s submission recommends that organizations affected by hacks would have to keep a record of the data breach and make these records available to the privacy commissioner upon request.
Setting out the requirements in regulation would “provide important clarity and certainty about the type of information that organizations should communicate to individuals,” the written submission says.
Indirect notification would be acceptable in special circumstances such as where notification is likely to cause further harm. The submission also said Ottawa should consider “the borderless nature” of online commerce as it crafts privacy breach notification regulations to be enacted in coming months.
It said organizations are typically required to protect the personal information under their control of all individuals, regardless of where they reside. As such, it said breach notification and reporting requirements should bear in mind the extent to which organizations may have to notify individuals and the privacy authorities outside of Canada.
Though not proposing a regulatory requirement, the privacy commissioner said businesses hit by a cyberattack that affects customers outside of Canada should consider notification laws of those jurisdictions. A number of international jurisdictions have established both mandatory and voluntary data breach reporting frameworks and Canada passed legislation last year that laid the groundwork for mandatory reporting of private-sector breaches that pose a “real risk of significant harm” to individuals.
The privacy commissioner added that encryption may play a role in reducing or eliminating risk, but cautions that as algorithms evolve, encryption standards may become decipherable.
In its submission, the Canadian Bar Association recognizes the importance of providing meaningful notice to individuals of data breaches. “The regulations should avoid being overly prescriptive, however, in the form and manner of notifications.
Organizations should have flexibility to determine whether direct or indirect notification is most suitable, the CBA said.
Organizations are generally required to protect the data of all individuals, regardless of where they reside