The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar

Archives

Links

Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by groups.yahoo.com

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Saturday, January 27, 2007

Will this be beginning of breach notification in Canada? 

The recent personal information breaches in Canada have prompted a lot of discussion about breach notification.

This may be the upswell of citizen concern that will prompt legislative change in Canada. From today's Halifax Chronicle Herald:

The ChronicleHerald.ca - Should retailers come clean? Businesses not obligated to alert consumers when information is stolen

By CLARE MELLOR Business Reporter

Retailers and financial institutions in Canada don’t have to tell customers when thieves have stolen their personal information.

Recent cases of data theft at Winners and the loss of a hard drive at CIBC have made headlines across the country, alerting Canadian consumers to be on guard for identity theft, but these security breaches could be the tip of the iceberg, privacy experts say.

"There are probably a whole lot more incidents out there that we haven’t heard about because the businesses have no legal reason that requires them to tell the consumers involved," Halifax lawyer David Fraser, a privacy specialist, said Friday.

"One of the big questions on law reform in this area is whether a business should have a duty to notify people whose information has been compromised."

CIBC, which was earlier taken to task by federal privacy commissioner Jennifer Stoddart for lapses in security involving misdirected faxes, issued a news release and sent letters to Talvest mutual-fund holders last week. The company said a backup computer file containing their personal information had gone missing in transit.

TJX Cos., American operator of Winners and HomeSense, recently revealed that computer hackers had broken into its system, but the firm has not said how many customers had personal data stolen.

About 30 states have laws requiring businesses to notify their customers when their personal information has been stolen or lost, Mr. Fraser said.

A parliamentary committee has been reviewing Canada’s federal privacy law. Requirements to notify the public when a breach happens are being discussed.

When Ms. Stoddart appears before the committee, she will likely call for changes to the law requiring businesses to inform consumers when their information has been stolen or gone missing, Anne-Marie Hayden, spokeswoman for the privacy commissioner’s office, said Friday.

Under Canada’s privacy law, businesses and banks must keep personal information secure and not share it without client consent.

While Ms. Stoddart’s office can’t fine or penalize businesses that repeatedly break the law, it can pursue legal action through the Federal Court, Ms. Hayden said.

"It would be safe to say that most of the time when the commissioner makes recommendations (to tighten privacy practices), those changes are implemented," she said .

But David Malamed, a forensic accountant, said it is clear many companies are not taking their privacy obligations seriously enough.

"A lot of the reason that it is happening is that the focus for a lot of companies is on the bottom line," said Mr. Malamed, who works at Grant Thornton in Toronto

"As systems advance, people get smarter and the question is how money is being invested into protecting these systems. . . . There are different methods that you can go about to protect your customer information that will help prevent this from happening or at least reduce it to a greater degree."

There have been media reports of fraudulent purchases made with customer information stolen from Winners.

A Canadian law firm, Merchant Law Group, which has offices in Saskatchewan and Alberta, has already launched a class-action suit over the security breach.

But there is some question about whether Canadian consumers can successfully sue for theft or mishandling of their personal information, Mr. Fraser said.

"If you are the subject of fraud, you may be able to successfully sue them," he said. "But if you can’t prove harm, it is much more difficult."

(cmellor@herald.ca)

Labels: , , , , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs