Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
I suspect many reading this have experienced dealing with at least one data breach. They happen all the time and most are quickly contained, rectified and result in little nuisance apart from documenting everything properly.
The Office of the Privacy Commissioner of Canada experienced a breach several years ago. The OPC was moving from downtown Ottawa to offices across the river in Gatineau. All hard drives were logged that were supposed to make the trip, but when the new office was unpacked, one — or some, I can't remember — hard drive(s) was/were discovered missing.
It wasn't stolen — at least we don't think it was. It was simply misplaced. But it did contain personal information of hundreds of current and past employees. I was among them.
It took them several weeks to figure out the details of what happened, and the OPC eventually felt confident enough to send notices to individuals whose personal information was lost — again, me being one of them. They did not offer credit monitoring or identity theft protection.
After the OPC breach, I remember Chantal Bernier, who was serving as interim commissioner at the time, speaking at conferences about her experience with the breach and saying it was an unfortunate, humbling event that nonetheless gave the office some very useful perspective it didn't have prior to that very real experience.
That was more than 10 years ago. And, as we all know, things change rapidly these days when it comes to our industry. So, while I don't wish any of our regulators in Canada to endure a breach, I think it would be helpful for them to get a deeper sense of — and actually see — what organizations do when something occurs. From the more innocuous breaches to the more egregious ones.
Often, breaches are caused because there are organized and very sophisticated crime syndicates causing the havoc. They invest heavily in their illegal operations as though it was a legitimate business. They recruit the smartest and brightest technophiles and lure them with exorbitant salaries that law enforcement cannot compete with.
When breaches occur, my experience is that Canadian regulators are well-meaning in their approaches to tackle the problems, but they generally lack useful experience and perspective to even better understand the vast complexities of the issues.
To this end, I have, on a few occasions, voluntarily offered to set up educational meetings with the firms that do the forensic work and negotiations with the threat actors. And, when a breach involves jurisdictions outside of Canada, it would be helpful for our Canadian regulators to better understand all the hundreds, if not thousands, of issues involved when handling multiple jurisdictions in a crisis at the same time.
So, this week, I'm once again raising the idea that regulators, lawyers, forensic firms and negotiators come together for a series of enlightening lunch and learns. If anyone reading this is interested pursuing the idea, let me know. I'll bring the pizza.
Kris Klein, CIPP/C, CIPM, FIP, is the managing director for Canada for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.
