The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Tuesday, September 14, 2004
The Asahi Shimbun website has a very interesting story from Japan about the reaction of Japanese businesses to highly-publicised leaks of personal information. While some of these practices may seem to go overboard, they really are prudent since a large number of Japanese customers don't appear to be shy about complaining about mishandling of personal information. If you don't need it, don't collect it in the first place. If you no longer need it, destroy it. I haven't heard about specific privacy insurance in Canada yet, but it may not be too far off ...
Companies are scrambling to protect themselves against potentially disastrous information leaks.
`A leak of data even on dozens of customers would bring an unrecoverable blow to us.'
EXECUTIVE, Food company in Tokyo
Every morning, an executive of a Tokyo food maker heads to the paper shredder and destroys documents. The measure, he says, is essential in protecting the company.
He is not hiding evidence from investigators. His action is part of efforts spreading nationwide to prevent data leaks that could lead to financial disaster.
The shredded documents at the food company are delivery order slips that contain customers' names, addresses and phone numbers.
The company decided to destroy all personal information, except e-mail addresses, as soon as a product's delivery is confirmed. Keeping a large amount of personal data ``means an increased risk,'' the executive says.
``Unlike a major company with physical strength, credibility is all that smaller firms like ours can count on,'' said the executive of the food maker, with a work force of several dozen employees. ``A leak of data even on dozens of customers would bring an unrecoverable blow to us.''
Prior to the full implementation of the personal information protection law next April, businesses are stepping up efforts to prevent information leaks.
Workers are educated on the importance of data protection. And many companies are now seeking ``data leak insurance'' to cover potential damages from lawsuits.
The law, which already regulates administrative entities, will be extended to cover private businesses with personal data on 5,000 or more people. Violators face a maximum six-month prison term or a fine of up to 300,000 yen.
But the real risks, as the Tokyo food maker fears, is a loss of credibility-and potentially huge compensation payments.
Businesses have a reason to be concerned. Videotape and CD rental chains, for example, have membership information on thousands of customers.
According to the Japan Network Security Association, compensation for a data leak varies from 1,000 yen to 1.5 million yen per customer, depending upon what information was leaked and how the company dealt with its aftermath.
Based on past court decisions, the association estimates a leak of an e-mail address could cost a company 4,000 yen. But the compensation amount soars to 300,000 yen per person if the name, address and legal domicile are leaked.
If all the 1.55 million victims in 57 leakage cases reported last year had sued, the total compensation could have reached 28 billion yen, according to the association.
The Compact Discs & Video Rental Trade Association of Japan is preparing guidelines for its 1,100 members on how to handle personal data.
Member stores often use a driver's license to confirm the identity of a customer. But the license also carries the holder's permanent and current addresses.
``If data are leaked and 100 customers file complaints, the business would be thrown into confusion,'' said an association official.
The association advises its members to black out the permanent domicile on the license's photocopy. But ``many shops count on part-time workers so teaching them is a major challenge,'' said the official.
Concerns over repercussions from data leaks have provided a business opportunity for non-life insurers, which have come out this year with new products to cover damages from information leaks.
``The responses are extraordinary,'' said an official of Mitsui Sumitomo Insurance Co., which has sold about 100 policies a month since it made the new product available in June.
The insurance covers compensation payments up to 300 million yen, even if the leak was an intentional act of an employee.
A series of large-scale leak cases this year prompted businesses to get insured.
A leak at Internet service provider Softbank BB Corp. affected 6.6 million customers.
Information of 1.16 million customers was leaked in the Sanyo Shinpan case, while the figure in the Cosmo Oil case was 920,000.
Victims are increasingly bringing their cases to court. After residents' register data were taken out and circulated from Uji city in Kyoto Prefecture, three residents sued the city government.
A court ordered the city to pay a total of 45,000 yen to the plaintiffs. The ruling was finalized in 2002.
TBC, an aesthetic salon, has been hit with a group lawsuit demanding 1 million yen in compensation for each plaintiff. Data on 50,000 clients, including vital statistics, were leaked, and some of the information was posted on the Internet.
The Japan Network Security Association says the possibility is high that many more victims will join group lawsuits if the compensation amounts rise to hundreds of thousands of yen per person.
``We hope each company will find out how much their personal data are worth before hammering out steps against information leaks,'' an association official said.(IHT/Asahi: September 8,2004) (09/08)
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.