December 9, 2013 by Canadian Underwriter
Federal politicians debated last week a privacy breach notification bill, with the former president of an insurance brokerage warning that Bill C-475, if passed into law, could result in “notification fatigue” among consumers.
“The bill would require organizations to report to the Privacy Commissioner every data breach posing a possible risk of harm,” Conservative Member of Parliament Ed Holder said in the House of Commons of Bill C-475. “The average organization is risk-averse, and will err on the side of caution. I know that from my own business experience. As a result, it is likely that all breaches would be reported under these circumstances, undoubtedly resulting in notification fatigue among consumers.”
Holder, MP for London West, was president of Stevenson & Hunt Insurance Brokers Ltd. from 1999 until he was elected to office in 2008.
Bill C-475, if passed into law, would change the federal Personal Information Protection and Electronic Documents Act (PIPEDA) by requiring organizations having personal information under their control to notify the federal privacy commissioner “of any incident involving the loss or disclosure of, or unauthorized access to, personal information, where a reasonable person would conclude that there exists a possible risk of harm to an individual as a result of the loss or disclosure or unauthorized access.”
The privacy commissioner would then have the power to order the organization to notify affected individuals, “without unreasonable delay,” if the commissioner “determines that the loss or disclosure of, or unauthorized access to, personal information is likely to result in an appreciable risk of harm.”
Debate on Bill C-475 was adjourned Dec. 5 and is scheduled to resume Dec. 11. It has yet to pass second reading. It was sponsored by Charmaine Borg, the New Democratic Party MP for Terrebonne-Blainville, near Montreal.
“The current legislation does not provide for Canadians to be notified of a breach of their personal information,” Borg said of PIPEDA in the House of Commons when she tabled Bill C-475 last May. “Organizations are not in fact required to notify them, regardless of the seriousness of the breach.”
— Charmaine Borg (@mpcharmaineborg) December 3, 2013
But on Dec. 5, Holder quoted Borg as saying there are 18 privacy breaches every year for every publicly traded company in Canada.
“We know there are over 3,000 companies traded on the Canadian-based stock exchanges,” Holder said. “That would amount to a minimum of 54,000 data breach incidents every year. Given the number of days to assess a single data breach incident, it does not serve the public interest to process each of these 50,000 incidents each year.”
Holder contended the intent of breach notification legislation is to “provide Canadians with timely information about a breach of their personal information so that they can take steps to avoid fraud, identity theft, and misuse of their personal information.”
He added it is “not clear” to him that Borg “has fully considered the administrative and resource implications of dumping this requirement on the Privacy Commissioner’s office, and whether it is in the public interest of Canadians to receive so many notifications.”
In September, 2011 the government had introduced its proposed amendments to PIPEDA – Bill C-12 – but that bill died on the order table when Prime Minister Stephen Harper prorogued the House of Commons Sept. 13, 2013.
On Dec. 5, 2013, Megan Leslie, NDP MP for Halifax said in the Commons that the Privacy Commissioner has previously recommended that PIPEDA should “require organizations to report breaches of personal information to the Commissioner and to notify affected individuals, where warranted, so that appropriate mitigation measures can be taken in a timely manner.”
Leslie added the harm that can come from privacy breaches include “identity theft, financial loss, negative credit ratings, and even physical harm.”
Kevin Lamoureux, MP for Winnipeg North and Deputy House Leader for the Liberals, argued Dec. 5 that Bill C-475 should be sent to committee for further consideration.
“When we take into consideration the concern that Canadians have as a whole related to the issue of personal information and wanting to see government doing more, I do not see what we have to lose by allowing the bill to be sent to committee.”
Holder explained why the ruling Conservatives do not agree organizations should be forced to notify the Privacy Commissioner of every breach.
“The government is committed to an approach that would require the organization experiencing a breach to conduct the risk assessment based on the sensitivity of the data and the probability that they have been or will be misused,” he said. “The organization is in the best position to quickly assess the circumstances surrounding a breach of its security safeguards and to determine the risks involved.
Holder also suggested the privacy commissioner should “have the option of initiating an investigation if it were believed that notification did not occur when it was required.”