Federal politicians limit debate time on privacy breach notification bill

Canada’s House of Commons passed Thursday a time allocation motion on a bill that proposes to require organizations to inform both individuals and the federal Office of the Privacy Commissioner if personal information is lost or stolen.

Bill S-4, the Digital Privacy Act, would create new offences for deliberately failing to report data breaches to individuals and the federal privacy commissioner, with fines of up to $100,000 per every individual an organization failed to notify.

“If an organization has a data breach and its customers’ personal information is stolen or lost, it’s not currently mandatory for the company to disclose to the customers that their information has been compromised,” Industry Minister James Moore said in May, 2014 in Ottawa before the Standing Senate Committee on Transport and Communications, which held hearings at the time on Bill S-4.

“The Digital Privacy Act will require organizations to tell individuals if their personal information has been lost or stolen,” Moore added at the time. “As part of this notification, organizations will also have to tell individuals what steps they can take to protect themselves, such as changing their credit card PIN, their email password, setting up a secondary layer of security, and so on.”

Related: Average total cost of a data breach in Canada is $5.32 million: Ponemon Institute

The governent bill was tabled April 8, 2014 by British Columbia Conservative Senator Yonah Martin. It passed third reading in the Senate June 16, 2014 – with an amendment – and was tabled the following day for first reading in the House of Commons. The bill was then the subject of hearings of the House of Commons Standing Committee on Industry, Science and Technology. The committee sent the bill last April back to the Commons with no amendments.

The time allocation motion that passed Thursday stipulates that only one further sitting day be allotted to consideration at the report stage and second reading stage of Bill S-4, and that one sitting day be allotted to consideration of the bill at third reading in the Commons.

NDP members opposed the time allocation motion.

“I introduced a bill that the House could have passed into law already,” NDP MP Charmaine Borg, who represents the Montreal area riding of Terrebonne-Blainville, said Thursday. She was referring to Bill C-475, a private member’s bill that she tabled but was defeated in January, 2014 in the Commons. “Instead, the government is making (Bill S-4) an urgent matter at the last minute.”

Related: RIMS supports ‘unified standard’ across United States for cyber privacy breach notification

Had Bill C-475, been passed into law, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) would have been amended to require organizations having personal information under their control to notify the federal privacy commissioner “of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.”

Bill C-475 was criticized in 2013 by London West Conservative MP Ed Holder, former president of Stevenson & Hunt Insurance Brokers Ltd.

Holder told the Commons in 2013 that Bill C-475 would “require organizations to report to the Privacy Commissioner every data breach posing a possible risk of harm.” He suggested at the time that the “average organization” would “err on the side of caution” and this would resulted in “notification fatigue” among consumers.

Nearly four years ago, the ruling Conservatives had proposed amendments to PIPEDA in Bill C-12, which died on the order table when Prime Minister Stephen Harper prorogued the House of Commons Sept. 13, 2013.

In order to be passed into law, Bill S-4 needs to pass third reading in the House of Commons.

It would require firms to notify people if their personal information has been lost “and there is a potential to expose us to harm,” Calgary Centre Conservative MP Joan Crockatt told the Commons last October. “The time frame companies would be given to do this under this bill would be as soon as was feasible. For example, if a company’s computer system was hacked and the clients’ credit card information was stolen, the company might need a week to put a fence around it and figure out how many people had been affected and let us, as consumers, know. If the data breach or the hacker was more sophisticated, it might take the company a couple of weeks to figure out everyone who was affected and let us know. There would be some flexibility, but one thing that would be very clear would be that companies could not delay notifying us when there was this kind of breach.”

Related: OIAA speaker explains how Ontario civil law on privacy affects cyber liability exposure

Crockatt added at the time that under her example, if a firm “failed to notify clients in the shortest time frame possible, it could be taken to court by the Privacy Commissioner or by individuals.”

Bill S-4 creates new offences relating to those data breach rules, Brant Conservative MP Phil McColeman said in October in the Commons.

Courts could “assess penalties for deliberately failing to report a data breach to the Privacy Commissioner, deliberately failing to notify an individual of a data breach and deliberately failing to maintain or deliberately destroying data breach records, noted McColeman, whose riding encompasses the city of Brantford, Ont. and surrounding area.

“In keeping with existing offences under PIPEDA, these offences would be subject to a fine of up to $10,000 on summary conviction and up to $100,000 on indictment,” McColeman said. “I would point out to the House that the organization can be assessed a penalty for each and every individual it fails to notify. Given the large number of individuals who could potentially be affected by a data breach, this is a very serious penalty indeed.”

Moore noted Thursday that there is currently “only a 45-day window when an individual Canadian can take an institution or a firm to court in order to get remedy with respect to the data breach that has taken place.”

Bill S-4 proposes to extend that time frame to a year.

Under PIPEDA, there is a requirement to complete an investigation “within a prescribed time period, and there are 45 days after which either the complainant or the commissioner can proceed to court for a de novo hearing in the event that we cannot resolve a matter with an organization,” said Patricia Kosseim, senior general counsel for the federal Office of the Privacy Commissioner, on Feb. 17, 2015 before the Commons’ industry committee.

“As we’ve experienced in practice, 45 days is a
very short time period to resolve some of the highly complex technological issues or broader accountability issues that organizations quite rightly need time to rectify, so we have developed a mechanism to allow organizations the time to put in place our recommendations,” Kosseim told the committee. “We then follow up with them several months, if not a year, afterwards to ensure they did follow through on the recommendations they said they would undertake to do.”

But she added under such circumstances, “our ability to go to court can be challenged if we’re outside the prescribed period.”

Privacy Commissioner Daniel Therrien also addressed the Commons industry committee.

Bill S-4 “would require organizations to keep records of data breaches of any kind,” Therrien said at the time. “We will be able to review their records to determine whether or not appropriate breach notification has occurred, and it will allow us to determine trends generally on the issues so that better advice can be given to organizations and individuals.”

The proposed law would also let OPC officials “determine whether the organizations are complying with mandatory breach notifications,” Therrien told the committee. “If they are not, in the worst-case scenarios, we could advise police authorities and the Attorney General so that prosecutions could be made against these organizations. So it’s a clear incentive for organizations to comply with the requirement.”

Some speakers addressing the Commons industry committee in February and March of this year expressed misgivings about Bill S-4.

“Unlike its predecessor, Bill C-12, clause 10 of Bill S-4 sets out a single test or threshold for both notifying individuals of a breach and reporting to the Privacy Commissioner,” said Suzanne Morin, executive member, national privacy and access law section of the Canadian Bar Association. “In effect, every breach that is notifiable to an individual will now also be reportable to the OPC, requiring businesses to change their current practices.”

Related: The Little Risk that Could

Morin recommended at the time that the threshold for reporting breaches to OPC “should be premised on the existence of a material breach.”

She added the record-keeping requirement “places too great a burden on all organizations regardless of size or industry, with no commensurate benefit for the protection of Canadians.”

But Tamir Israel, staff lawyer for the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic, told the committee his organization is “concerned that the standard for notifying the Privacy Commissioner is too high.”

Israel contended at the time that it is “very useful to have notification directly to the Privacy Commissioner of a majority of breaches for tracking purposes and to generally improve incentives to adopt rigorous technical safeguards.”