Data Protection For Your Company

June 4th, 2008 Source: NationalPost.com

OTTAWA - Consumers have to contend with "inexcusable" security breaches because many companies ignore some of the most basic steps to protect their personal information, Canada's privacy commissioner says in a hard-hitting report released yesterday.

Jennifer Stoddart's annual report on whether companies are complying with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), tabled in Parliament, points to some huge gaps in their legal obligations to safeguard the personal data they collect.

The year "2007 was the year of data privacy disasters, highlighting the need for companies to recognize the value of personal information and take more care in securing it," the report states. Ms. Stoddart found that many companies are failing to implement "elementary security measures," such as using encryption on laptops. As a result, these unprotected or stolen laptops, often containing customer information, remain a "huge issue" for the private sector.

Last year, nine in 10 people whose data were compromised by a self-reported security breach were put at risk because their personal information was held in an electronic format that was either not secured or lacked adequate protection mechanisms, such as firewalls or encryption, the report found. Other breaches occurred because staff failed to follow company protocols to protect the private information of their customers. "I would think with the alarm bells going off about huge data-security breaches that most companies would be taking more active steps," Ms. Stoddart said in an interview.

This type of "gambling with personal information" leaves consumers in a precarious spot, the report states. "Of course, not all of the data compromised in these kinds of breaches winds up in the hands of criminals. However, it is clear crooks have recognized that personal data is a gold mine. Identity theft is rampant --and lucrative." Financial institutions reported the largest number of breaches in 2007. Banks also generated the most complaints, making up almost one-third (105 of the 350) of complaints alleging violations of the act.

Telecommunications, insurance and retail companies also reported a number of breaches and were the target of complaints, although in smaller numbers than in previous years. Virtually every privacy issue and complaint contained an information-technology component, the report found, singling out its investigation last year of the massive breach at TJX-owned stores, including HomeSense and Winners. The breach involved about 94 million debit and credit numbers worldwide after the company delayed upgrading the company's outdated computer security system because of costs. "It was an expensive proposition and it cut into their profit margin and that's documented in the investigation," Ms. Stoddart said.

The Office of the Privacy Commissioner has already received more voluntary breach reports in the first five months of this year (21) than it did for all of 2006 (20), but Ms. Stoddart is worried the situation is worse than it appears because few small-and medium-sized businesses are reporting breaches. font_size(0); As a result, she strongly supports a plan by Industry Canada to make it mandatory for companies to report any material data breach to the privacy commissioner.

The legislative blueprint outlining the amendment to the legislation has been criticized by consumer groups because it leaves it up to companies to decide when to tell customers of a loss of personal information and only in cases where businesses determine there is a "high risk of significant harm" from the security breach.

Ariane Siegel, a member of the technology practice group at the law firm Gowlings and a specialist in Canada's privacy laws, said companies are working with the privacy commissioner to limit data breaches. "This is not in any way an excuse for companies out there, but it takes a really long time for concepts and technology to trickle down to a point that they're broadly accepted into the marketplace. Just think of the cost. Just a few years ago, we were all buying laptop computers that cost $4,000. Now, you can get one for $600."

Also weighing in on the issue yesterday was the Canadian Bar Association, which told a House of Commons committee studying reforms to the Privacy Act that federal institutions should be required to notify individuals if their personal information has been improperly disclosed.