OTTAWA - Canada would have one of the weakest data breach laws in the western world even if proposed revisions currently before Parliament are passed, according to an analysis by the federal privacy watchdog.
The United States, Australia, Britain, France, Germany, Ireland and Spain either have — or are planning — stiffer enforcement measures to penalize organizations for breaches resulting in exposure of personal information, says the comparison released under the Access to Information Act.
The newly disclosed documents show the office of Privacy Commissioner Jennifer Stoddart prepared the analysis last June for deputy Industry minister Richard Dicerni.
Accompanying notes to brief Stoddart for a meeting with Dicerni suggested she tell him a federal bill intended to better manage data breaches "is beginning to look dated."
"Many international data protection agencies now have, or will soon have, much stronger enforcement powers than exist in Canada," say the notes.
"I am no longer certain I can provide wholehearted support for the legislation as currently drafted."
The notes also recommended she push Dicerni for his views on how the legislation could be amended to ensure organizations could be properly sanctioned for lapses.
Industry Minister Tony Clement introduced Bill C-12 more than a year ago — the government's long-awaited response to a parliamentary review of the privacy law governing businesses. However, it has made little progress in the House of Commons.
The bill would amend federal privacy law covering the private sector to require organizations to report data breaches to the commissioner's office and to notify people affected if there is a "real risk of significant harm" to the individuals.
However, Stoddart would have no ability to fine an organization and no order-making powers.
She has said publicly this would mean hauling an unco-operative company to court to ensure they notify their customers about a breach — a process that could take months.
In 2011, Stoddart's office was notified of 64 breaches, up from 44 in 2010.
If the bill becomes law, there will be a three-fold increase in the number of breach notifications, according to an analysis commissioned by the privacy commissioner.
But Stoddart argues the proposed law will need more teeth to keep pace with the expanding digital universe and the threat from cyber-criminals and hackers.
A spokeswoman for Stoddart said Monday that when Parliament considers C-12, the commissioner will have "a number of comments" and expects to present proposed changes.
"We have seen numerous high-profile breaches involving large numbers of records," say the notes drafted by her officials.
They point to 2011 lapses involving companies Sony and Epsilon, each affecting tens of millions of people.
In contrast to the federal proposal, Alberta's privacy commissioner — who operates under provincial legislation — can order an organization to notify customers of a breach.
The U.S. Federal Trade Commission, meanwhile, has levied large fines including US$10 million in civil penalties and US$5 million in consumer redress against data broker ChoicePoint Inc., the privacy commissioner's office notes.
In Britain, the information commissioner's office fined the Surrey County Council $192,000 for failing to secure information about the mental and physical health of adults and children.
Other, little-noticed provisions of Bill C-12 would also make it easier for Internet service providers, email hosts and social media sites to voluntarily share personal information about customers with police — possibly including private security firms.
The legislation could also effectively impose a gag on the Internet companies, preventing them from telling customers their personal details have been shared.
Your Birth Date And Place
While it might be nice to hear from Facebook well-wishers on your birthday, you should think twice before posting your full birthday. Beth Givens, executive director of the <a href="http://www.privacyrights.org/" target="_hplink">Privacy Rights Clearinghouse</a> <a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook">advises</a> that revealing your exact birthday and your place of birth is like handing over your financial security to thieves. Furthermore, Carnegie Mellon researchers recently <a href="http://arstechnica.com/tech-policy/news/2009/07/social-insecurity-numbers-open-to-hacking.ars" target="_hplink">discovered</a> that they could reconstruct social security numbers using an individual's birthday and place of birth. Rather than remove your birthday entirely, you could enter a date that's just a few days off from your real birthday.
Your Mother's Maiden Name
"Your mother’s maiden name is an especially valuable bit of information, not least since it’s often the answer to security questions on many sites," writes the <em><a href="http://bucks.blogs.nytimes.com/2010/10/12/what-not-to-tell-facebook-friends/?src=tptw" target="_hplink">New York Times</a></em>. Credit card companies, your wireless service provider, and numerous other firms frequently rely on this tidbit to protect your personal information.
Your Home Address
Publicizing your home address enables everyone and anyone with whom you've shared that information to see where you live, from exes to employers. Opening up in this way could have negative repercussions: for example, there have been instances in which <a href="http://www.huffingtonpost.com/2010/02/17/please-rob-me-site-tells_n_465966.html" target="_hplink">burglars have used Facebook to target users</a> who said they were not at home.
Your Long Trips Away From Home
Don't post status updates that mention when you will be away from home, <a href="http://bucks.blogs.nytimes.com/2010/09/15/dont-tell-facebook-friends-that-youre-going-away/" target="_hplink">advises</a> <em>New York Times</em> columnist Ron Lieber. When you broadcast your vacation dates, you might be telling untrustworthy Facebook "friends" that your house is empty and unwatched. "[R]emind 'friends' that you have an alarm or a guard dog," Lieber writes.
Your Short Trips Away From Home
Although new features like Facebook Places encourage you to check in during outings and broadcast your location (be it at a restaurant, park, or store), you might think twice even before sharing information about shorter departures from your home. "Don’t post messages such as 'out for a run' or 'at the mall shopping for my sweetie,'" Identity Theft 911 <a href="http://identitytheft911.com/company/press/release.ext?sp=11132" target="_hplink">cautions</a>. "Thieves could use that information to physically break in your house."
Your Inappropriate Photos
By now, nearly everyone knows that racy, illicit, or otherwise incriminating photos posted on Facebook can cost you a job (or worse). But even deleted photos could come back to haunt you. Ars Technica recently <a href="http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars" target="_hplink">discovered</a> that Facebook's servers can store deleted photos for an unspecified amount of time. "It's possible," a Facebook spokesperson <a href="http://arstechnica.com/web/news/2010/10/facebook-may-be-making-strides.ars" target="_hplink">told</a> Ars Technica, "that someone who previously had access to a photo and saved the direct URL from our content delivery network partner could still access the photo."
Flubbing on your tax returns? Can't stand your boss? Pulled a 'dine and dash?' Don't tell Facebook. The site's privacy settings allow you to control with whom you share certain information--for example, you can create a Group that consists only of your closest friends--but, once posted, it can be hard to erase proof of your illicit or illegal activities, and difficult to keep it from spreading. There are countless examples of workers getting the axe for oversharing on Facebook, as well as many instances in which <a href="http://www.huffingtonpost.com/2010/08/16/arrested-over-facebook-po_n_683160.html" target="_hplink">people have been arrested</a> for information they shared on the social networking site. (Click <a href="http://www.huffingtonpost.com/2010/07/26/fired-over-facebook-posts_n_659170.html" target="_hplink">here</a> to see a few examples of Facebook posts that got people canned.)
Your Phone Number
Watch where you post your phone number. Include it in your profile and, depending on your privacy settings, even your most distant Facebook "friends" (think exes, elementary school contacts, friends-of-friends) might be able to access it and give you a ring. Sharing it with Facebook Pages can also get you in trouble. Developer Tom Scott created an app called <a href="http://www.huffingtonpost.com/2010/05/24/evil-facebook-app-exposes_n_587144.html" target="_hplink">Evil</a> that displays phone numbers published anywhere on Facebook. <a href="http://www.huffingtonpost.com/2010/05/24/evil-facebook-app-exposes_n_587144.html" target="_hplink">According to Scott</a>, "There are uncountable numbers of groups on Facebook called 'lost my phone!!!!! need ur numbers!!!!!' [...] Most of them are marked as 'public', and a lot of folks don't understand what that means in Facebook's context -- to Facebook, 'public' means everyone in the world, whether they're a Facebook member or not."
Your Vacation Countdown
<a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook" target="_hplink">CBSMoneyWatch.com</a> warns social network users that counting down the days to a vacation can be as negligent as stating how many days the vacation will last. "There may be a better way to say 'Rob me, please' than posting something along the lines of: 'Count-down to Maui! Two days and Ritz Carlton, here we come!' on [a social networking site]. But it's hard to think of one. Post the photos on Facebook when you return, if you like. But don't invite criminals in by telling them specifically when you'll be gone," MoneyWatch <a href="http://finance.yahoo.com/family-home/article/110674/6-things-you-should-never-reveal-on-facebook" target="_hplink">writes</a>.
Your Child's Name
Identity thieves also target children. "Don't use a child's name in photo tags or captions," <a href="http://www.consumerreports.org/cro/magazine-archive/2010/june/electronics-computers/social-insecurity/7-things-to-stop-doing-on-facebook/index.htm" target="_hplink">writes</a> Consumer Reports. "If someone else does, delete it by clicking on Remove Tag. If your child isn't on Facebook and someone includes his or her name in a caption, ask that person to remove the name."
Your 'Risky' Behavior
CBSMoneyWatch.com <a href="http://moneywatch.bnet.com/saving-money/blog/devil-details/6-things-you-should-never-reveal-on-facebook/2360/?tag=content;col1" target="_hplink">writes</a>: <blockquote>You take your classic Camaro out for street racing, soar above the hills in a hang glider, or smoke like a chimney? Insurers are increasingly turning to the web to figure out whether their applicants and customers are putting their lives or property at risk, according to Insure.com.</blockquote> There have been additional <a href="http://www.huffingtonpost.com/2010/02/22/facebook-twitter-users-co_n_471548.html" target="_hplink">reports</a> that insurance companies may adjust users' premiums based what they post to Facebook. Given that criminals are turning to high-tech tools like Google Street View and Facebook to target victims, "I wouldn't be surprised if, as social media grow in popularity and more location-based applications come to fore, insurance providers consider these in their pricing of an individual's risk," <a href="http://www.huffingtonpost.com/2010/02/22/facebook-twitter-users-co_n_471548.html" target="_hplink">says</a> Darren Black, head of home insurance for Confused.com.
The Layout Of Your Home
<a href="http://identitytheft911.com/company/press/release.ext?sp=11132" target="_hplink">Identity Theft 911</a> reminds Facebook users never to post photos that reveal the layout of an apartment or home and the valuables therein.
Your Profile On Public Search
Do you want your Facebook profile--even bare-bones information like your gender, name, and profile picture--appearing in a Google search? If not, you should should block your profile from appearing in search engine results. Consumer Reports <a href="http://www.consumerreports.org/cro/magazine-archive/2010/june/electronics-computers/social-insecurity/7-things-to-stop-doing-on-facebook/index.htm" target="_blank">advises</a> that doing so will "help prevent strangers from accessing your page." To change this privacy setting, go to Privacy Settings under Account, then Sharing on Facebook.
ALSO ON THE HUFFINGTON POST