CIPPIC calls for data security breach notification law

News Release Ottawa, ON January 9, 2007

Group calls for Security Breach Notification Law

The Canadian Internet Policy and Public Interest Clinic (CIPPIC) at the University of Ottawa is calling on the federal government to enact legislation requiring organizations to notify individuals when their personal information is exposed to potential thieves and fraudsters as a result of a security breach. In a White Paper released today, CIPPIC reviews breach notification laws enacted by over thirty American states so far, and argues that the federal government should have similar protections in place for Canadians.

During its review of the Personal Information Protection and Electronic Documents Act last November and December, the House of Commons Standing Committee on Access to Information, Privacy and Ethics heard from many witnesses who called for a security breach notification law in Canada.

"The absence of a clear requirement for notification in the case of security breaches is a glaring gap in our existing data protection law", said Philippa Lawson, Director of CIPPIC and co-author of the report. "There is no market incentive for organizations to admit to security breaches if they don't have to. Individuals whose personal data has been acquired by an identity thief from an organization with whom they do business will most likely never know of the breach and so won't be able to take measures to prevent subsequent fraud in their name. And without the prospect of costly notification and reputational loss, there is less incentive for organizations to beef up their security."

A recent poll by HarrisInteractive indicates that, of the estimated 49 million Americans who were notified of unauthorized access to their personal information during the past three years, 19% (app. 9.3 million people) believe that something harmful happened to them as a result of the breach. Such harm included merchandise charged in their name (43%), some kind of fraud costing them money (35%), money taken from their bank account (18%), a credit card taken out in their name (11%), or someone posing as them to get a benefit or service (8%).

"While there's a case to be made that notification obligations are implicit in the Act's requirements for security safeguards, such obligations should be made explicit along with clear criteria and guidelines so that organizations faced with a security breach know what they have to do", says Lawson.

CIPPIC's White Paper is available online at .

- 30 -