Sometimes I worry there may be a bit of breach fatigue. And that, my friends, is a dangerous thing.

At least breach notification is in many private sector laws, although assessing the real risk of significant harm is still somewhat subjective, despite some existing guidance.

How the government continues to hold itself to a much lower standard since there is no breach requirement by government in law still astounds me. At least it looks like the federal department of justice will recommend some sort of data breach regime in the new Privacy Act.

But in the meantime, the lack of accountability with respect to personal information handling practices is probably why we have this latest story which, I would argue, carries a heck of a lot more RROSH than what could happen if the information held by a business were to be compromised. The story highlights that the Conservatives have written to Privacy Commissioner Daniel Therrien to complain about a pattern of data breaches at Immigration, Refugees and Citizenship Canada. The complaint is in response to a string of misdirected emails last month that may have exposed hundreds of vulnerable Afghans to danger.

Alarmingly, the story also highlights how IRCC interprets the Treasury Board policy on reporting data breaches, and I fear they may be taking a rather relaxed view on the threshold question (e.g., whether the breach is “material”).

At least on the surface, it would appear many breaches are happening where no reporting is undertaken when it should be.

I have to admit I would love to see certain reforms for the Privacy Act on issues like these, leapfrog those for PIPEDA.

On a happier note, from my experience dealing with the clients I work with, I’m encouraged to see organizations, admittedly mostly in the private sector, develop breach readiness plans. I think those plans put them in a solid place to properly address these issues when they come up and, for example, consider what RROSH and material really mean in practice. For those who don’t have a breach plan in place yet, remember that an ounce of prevention is worth a pound of cure. After all, it’s usually not a matter of whether a breach will occur, but rather when it will occur. We just need the public sector to catch up, I guess.