I have the honor of filling in for Kris Klein, who is on a well-deserved vacation this week (no need to panic – he’ll be back next Friday).
Data breaches continue to be top of mind in privacy news. This is mostly due to the Capital One breach, which affected six million Canadians and has resulted in a class-action lawsuit (seeking $350 million in damages) filed in Ontario. Also, a breach at Revenu Québec was reported earlier this week.
Kris said last week that we need better laws. I am skeptical of more regulation, especially after seeing the incredible and unnecessary regulatory burden that was created by Canada’s Anti-Spam Legislation.
One measure that might reduce the risk of some breaches is more specific guidance on data security requirements. Canadian privacy laws tend be vague on what organizations must do to secure personal information. Principle 7 of the Personal Information Protection and Electronic Documents Act, for example, says that “personal information shall be protected by security safeguards appropriate to the sensitivity of the information” and barely any more than that.
This makes it difficult for organizations to understand their legal obligations. For those of us who have the time and inclination, we look through Office of the Privacy Commissioner findings for their expectations of how the PIPEDA standard is to be applied in certain cases. But when I’m asked what a company needs to do to protect personal information, I am unable to point to a clear and comprehensive legal standard. This can be especially frustrating for smaller, less sophisticated organizations that who lack the resources to hire security consultants and are looking for straightforward guidance.
Of course, there is always a risk of being too prescriptive in law, and there are obvious reasons why the drafters of PIPEDA left principle 7 so vague: there is no one-size-fits-all approach to data security and standards need to evolve quickly to keep pace with the changing threat landscape. Most importantly, it’s crucial to avoid imposing unnecessary regulatory burden on Canadian businesses (see my comment about CASL).
But there must be some room for improvement in PIPEDA (and other laws). Legislation can be supplemented by regulations, which are more flexible. Regulations can reference standards and guidelines, which are even more flexible. For example, regulations under the Manitoba Personal Health Information Act describe a number of measures, including requirements for trustees to have written security policies and procedures, maintain and conduct audits of records of user activity in accordance with ministerial guidelines, provide training on security polices and conduct biannual audits of security safeguards.
I’d hesitate to agree with the notion that breaches can be reduced by simply imposing huge fines. However, if PIPEDA was amended to allow penalties for organizations that fail to implement appropriate security safeguards, this would be absurd and unfair to penalize organizations without first providing guidance on what those safeguards are supposed to be.
If you want to comment on this post, you need to login.