Fellow blogger David Canton is quoted in this interesting article that suggests reckless corporations may find themselves guilty of violating the new ID theft law:

Reckless Data Handling Could Violate ID Theft Law - Security Feed - News - CSO Magazine

Nov 27, 2007

Reckless Data Handling Could Violate ID Theft Law

The recently proposed amendment to the Criminal Code that would make "reckless" handling of personal information a crime can be troubling given the broad definition of the word, said one lawyer.

If Bill C-27 is passed, it will be an offense to make available or sell personal information (such as names, addresses bank account information and social insurance numbers) knowing it will be used to commit fraud -- or if the person or company selling the information is reckless as to whether the data will be used for fraud by a third party.

Bill C-27, an Act to Amend the Criminal Code (identity theft and related misconduct) was tabled in the House of Commons last week and passed first reading.

As reported by ITWorld Canada, vendors say Feds should enforce data encryption

The problem with measuring recklessness is a valid concern for organizations whose business relies on collecting customer personal information given the lack of industry standards, said Howard Simkevitz, lawyer with Toronto, Ont.-based law firm Lang Michener LLP.

Some international standards, from bodies such as the International Standards Organization (ISO), handle security compliance, but there is no equivalent for privacy, Simkevitz said.

"When we’re talking about identity theft and it’s the theft of personal information, that’s a distinct privacy-oriented term."

He added the term reckless includes the absence of precautions around securing customer personal data, so organizations should implement policies and procedures based around this. Overall, such precautions are mainly based on common sense and good corporate values around how to handle another person’s sensitive data, he said.

The privacy commissioner, he added, also makes available helpful guidelines around policies.

Actually, the Personal Information Protection and Electronic Documents Act (PIPEDA) provides a good starting point, he said, by advising organizations to determine whether the information they are collecting is personal, and if it is, to figure out if they have received consent to collect and use it for certain purposes.

"The risk of running afoul is at least minimalized, but there are tons of issues here, and the fact that now there are criminal sanctions that could be applied, is an issue," said Simkevitz.

The recklessness aspect of the bill is probably intended to capture people who do more than just act negligently, but "turn a blind eye" to securing personal information, said David Canton, a lawyer with London, Ont.-based law firm Harrison Pensa LLP.

When transferring that type of data to a third party, the organization should seek assurances that the recipient of the information is going to do what it has said it will do with the data, he said. Often, having contractual provisions to limit use of the data by a third party is useful, he added.

If companies seek such assurances, he said, "I would suspect that they haven’t crossed the reckless threshold."

But a rogue employee stealing customer personal information for the purposes of fraud could, depending on the circumstance, mean the company has been reckless, said Simkevitz. However, he said, if the company can demonstrate it took necessary actions to mitigate such risk, then it may not be held liable.

Typically, organizations are "vicariously liable" for actions of their employees, said Canton. Specifically, if the act committed falls within the ambit of that person’s job, then the organization can be held liable, he added, but "it’s not always an easy line to draw."

But given that Bill C-27 complements PIPEDA and other existing privacy legislation, said Canton, companies who have already dealt with privacy probably have dealt with the issues that this new bill presents.

The bill’s proposals do not add anything to existing legislation, said Canton, "but raises the bar and is maybe one way of putting criminal teeth in the security aspect of [PIPEDA], although it’s probably not its prime intention."

Canton said it’s hard to argue against some of the contents of the bill and it’s usually difficult to tell if such things will help deter identity theft, but it’s nonetheless a useful tool.

If anything, said Simkevitz, the bill "sensitizes corporations to the importance of protecting personal information."

In particular, he said, it’s great that it includes compensating victims of identity fraud, but it doesn’t address the issue of quantifying damages like the loss of a driver’s license versus hassle at the border because of issues with stolen identity.

"It certainly does [add teeth to PIPEDA]. Is this sufficient? I would be more reluctant to say that it is," said Simkevitz.

Besides that, he said the proposed amendment doesn’t address the use of spam to collect personal information, nor the issue of breach notification.

Labels: breach notification, privacy