The recent personal information breaches in Canada have prompted a lot of discussion about breach notification.

This may be the upswell of citizen concern that will prompt legislative change in Canada. From today's Halifax Chronicle Herald:

The ChronicleHerald.ca - Should retailers come clean? Businesses not obligated to alert consumers when information is stolen

By CLARE MELLOR Business Reporter

Retailers and financial institutions in Canada don’t have to tell customers when thieves have stolen their personal information.

Recent cases of data theft at Winners and the loss of a hard drive at CIBC have made headlines across the country, alerting Canadian consumers to be on guard for identity theft, but these security breaches could be the tip of the iceberg, privacy experts say.

"There are probably a whole lot more incidents out there that we haven’t heard about because the businesses have no legal reason that requires them to tell the consumers involved," Halifax lawyer David Fraser, a privacy specialist, said Friday.

"One of the big questions on law reform in this area is whether a business should have a duty to notify people whose information has been compromised."

CIBC, which was earlier taken to task by federal privacy commissioner Jennifer Stoddart for lapses in security involving misdirected faxes, issued a news release and sent letters to Talvest mutual-fund holders last week. The company said a backup computer file containing their personal information had gone missing in transit.

TJX Cos., American operator of Winners and HomeSense, recently revealed that computer hackers had broken into its system, but the firm has not said how many customers had personal data stolen.

About 30 states have laws requiring businesses to notify their customers when their personal information has been stolen or lost, Mr. Fraser said.

A parliamentary committee has been reviewing Canada’s federal privacy law. Requirements to notify the public when a breach happens are being discussed.

When Ms. Stoddart appears before the committee, she will likely call for changes to the law requiring businesses to inform consumers when their information has been stolen or gone missing, Anne-Marie Hayden, spokeswoman for the privacy commissioner’s office, said Friday.

Under Canada’s privacy law, businesses and banks must keep personal information secure and not share it without client consent.

While Ms. Stoddart’s office can’t fine or penalize businesses that repeatedly break the law, it can pursue legal action through the Federal Court, Ms. Hayden said.

"It would be safe to say that most of the time when the commissioner makes recommendations (to tighten privacy practices), those changes are implemented," she said .

But David Malamed, a forensic accountant, said it is clear many companies are not taking their privacy obligations seriously enough.

"A lot of the reason that it is happening is that the focus for a lot of companies is on the bottom line," said Mr. Malamed, who works at Grant Thornton in Toronto

"As systems advance, people get smarter and the question is how money is being invested into protecting these systems. . . . There are different methods that you can go about to protect your customer information that will help prevent this from happening or at least reduce it to a greater degree."

There have been media reports of fraudulent purchases made with customer information stolen from Winners.

A Canadian law firm, Merchant Law Group, which has offices in Saskatchewan and Alberta, has already launched a class-action suit over the security breach.

But there is some question about whether Canadian consumers can successfully sue for theft or mishandling of their personal information, Mr. Fraser said.

"If you are the subject of fraud, you may be able to successfully sue them," he said. "But if you can’t prove harm, it is much more difficult."

(cmellor@herald.ca)

Labels: alberta, breach notification, identity theft, pipeda review, privacy, tjx