Canadian data breach notification guidelines – jointly created by the Information and Privacy Commissioners for British Columbia and Ontario – have made their way to the land down under.
Last week, Australian Privacy Commissioner Karen Curtis released the Voluntary Information Security Breach Notification Guide, which aims to assist organizations in effectively responding to information security breaches. The draft guide credits voluntary guidelines by both the Privacy Commissioners of Canada and New Zealand.
“We had worked with the New Zealand privacy commissioner and showed her our breach notification assessment tool,” Ann Cavoukian, Information and Privacy Commissioner of Ontario, said. “She took it and developed one in New Zealand similar to ours. It’s great to see Australia follow suit.” The jointly created Canadian breach notification guide was created in December 2006 and outlines steps on when and how to notify affected individuals.
“When you’re notifying somebody of a breach relating to their data, you’ve got to be perfectly clear and concise,” Cavoukian said. “In regards to the preferred method of notification, we think direct contact either by phone, letter or in person are the most effective methods.”
As for what to include in the notification, the assessment tool advises organizations provide a general description of what happened without a lot of legal jargon, outline the steps taken thus far (and will be taken in the future) to control or reduce the harm, and the steps the individual can take to further protect themselves.
“You’ve got to be practical and do things as quickly as possible,” Cavoukian said. “You need to contain the damages, get the notices out, fix the problem and prevent it from reoccurring. You’ve also have to be practical about it and notify people in a way that’s not full of legal legalese and provides clear notice as to what you’re doing.”
Currently, Australia’s privacy legislation does not specifically require an agency or organization to notify individuals, or even the privacy commissioner, of a data breach. However, an amendment to the Australian Privacy Act to require mandatory data breach notification is under way.
The same story is playing out in Canada. Last year, the federal government recommended that data protection laws – specifically the Personal Information Protection and Electronic Documents Act (PIPEDA) – be amended to include requirements for companies to notify individuals when their personal information was subject to a security breach.
Cavoukian hopes the breach notification assessment tool, along with the influence it is having on the other side of globe, will inspire the federal government to implement an effective and common sense approach on breach notification.
“They’re certainly aware of our guidelines, so I’m sure it’s food for fodder for them,” she said. “We’ve had very good feedback on our guidelines and I’m sure it’ll be one of the things that they take into consideration.”
But some organizations such as the University of Ottawa’s Canadian Internet Policy and Public Interest Clinic (CIPPIC) want the government to go even further. Responding to an Industry Canada request for public consultation on data security laws earlier this year, CIPPIC recommended that mandatory reporting of data breaches to a publicly-accessible electronic registry is the most effective way to persuade corporations to shore up their potential security risks.
“We’ve been pushing for notification requirements for years, because it’s obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession,” Pippa Lawson, executive director at CIPPIC, told ComputerWorld Canada earlier this year. “Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about.”
Lawson said that while the government’s interest in drafting better data breach notification laws is positive, Ottawa needs to take it a step further and require mandatory public reporting as well.
“There’s two ways that you can create incentives for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly,” Lawson said. “If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security.”
David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California, which mandates organizations to reveal to customers that personal data has been compromised.
“Organizations in this country don’t fear the repercussions of PIPEDA,” Senf said earlier this year. “Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection.”
Cavoukian, however, disagreed on taking such a punitive approach. As a regulator, she said, her concern is to ensure when something happens that it’s addressed immediately and as quickly as possible to benefit the affected individuals.
“You can almost take as a given that over time, virtually every company is going to make an oversight or a mistake and have some kind of data breach,” Cavoukian said. “My experience in working with organizations is that as soon as they know there’s a breach, they’re really motivated to cure the harm and prevent it. If you create a database of who did what and how many times they did it, I just don’t know how effective it would be.”