The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Monday, July 09, 2007
Federal Computer Week recently ran an article on a new report from the GAO that found that few large privacy breaches lead to fraud. The report is here: Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown (Government Accountability Office); and the FCW.com article is here:
FCW.com News - Few breaches lead to identity theft, GAO finds
Although data breaches in the public and private sectors are frequent, few incidents of identity theft have occurred as a result of the loss or unauthorized exposure of personal information, the Government Accountability Office said.
Fortunately for potential victims, only three of the 24 biggest breaches that GAO reviewed led to detected incidents of fraud on existing accounts and one incident of the unauthorized creation of a new account, according to GAO’s analysis of available data and interviews with researchers, law enforcement officials and industry representatives.
Retailers and a credit card processor were responsible for the data breaches that led to identity theft. GAO said it uncovered no clear evidence of fraud in 18 incidents, and insufficient data was available to make a determination in two incidents. However, it is difficult to know for certain the magnitude of identity theft, GAO said.
“The extent to which data breaches result in identity theft is not well-known, in large part because it can be difficult to determine the source of the data used to commit identity theft,” wrote David Wood, a director of GAO’s Financial Markets and Community Investment team, in a report posted today.
Perpetrators might hold stolen data for more than a year before using it to commit identity theft, law enforcement officials told GAO.
The data breaches GAO examined represent a fraction of the incidents in which public and private organizations have exposed or lost personal information. From 2005 through 2006, the news media have reported more than 570 data breaches. The House Oversight and Government Reform Committee identified more than 788 data breaches at 17 agencies from January 2003 through July 2006, and banks have reported several hundred incidents to their federal regulators in the past two years.
GAO studied breaches that were reported before July 2005. None involved federal agencies.
Encryption and hardware requirements for access control and certain data-reading equipment can prevent or restrict unauthorized access to data if it falls into the wrong hands.
Requirements to notify affected individuals could serve as incentives for organizations to improve data security practices so they can minimize legal liability and avoid the public relations issues that could result from a publicized breach. But that approach could also result in organizations spending money to develop incident response plans for identifying and notifying affected individuals.
A requirement that is too broad could result in notification of breaches that present little or no risk, perhaps leading consumers to disregard all notices, GAO said.
The agency instead recommended the use of a risk-based notification standard to identify the incidents in which the potential for harm exists and the appropriate actions to take. Consumers who are notified that their data was compromised could then take steps to protect themselves from possible identity theft, such as monitoring their bank or credit card statements for suspicious activity.
“Should Congress choose to enact a federal breach-notification requirement, use of the risk-based approaches that the federal banking regulators and the President’s Identity Theft Task Force advocate could avoid undue burden on organizations and unnecessary and counterproductive notifications to consumers,” Wood wrote in the report.
In April, the task force recommended a national notification standard for public and private organizations similar to its risk-based guidance for federal agencies. It involves notifying consumers who face a significant risk of identity theft, but it avoids excessive notification.
In addition, the Office of Management and Budget has issued guidance to help federal agencies respond to data breaches. No federal law requires that companies or other organizations notify affected individuals of data breaches, although federal banking regulators have provided guidance to the financial institutions they supervise and 36 states have enacted breach-notification laws.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.