The digital age has brought the incredible and enjoyable convenience of conducting multiple kinds of transactions online. However with this accessibility comes responsibility; the increasing sophistication of cybercrime and electronic fraud operations requires legislators and businesses to engage in a more robust approach to protecting the personal information of Canadians.
In February this year, a laptop belonging to the Investment Industry Regulatory Organization of Canada (IIROC) was lost in Montreal. It contained the personal financial data of 52,000 Canadian investors. Shockingly, the regulatory organization did not follow its own data protection policies and the data was not encrypted. Worse, IIROC took two months to notify affected individuals and the public about the data breach.
Unfortunately, this breach is not an isolated event.
In April this year, the online discount site LivingSocial experienced a cyberattack where hackers accessed the names, e-mail addresses, birth dates and passwords of over 50 million customers. In March, Evernote's cloud-based data storage was compromised giving attackers access to users' names, addresses and encrypted passwords.
Additionally, it was recently revealed that over 2,900 government data breaches have occurred since the Conservatives took power in 2006. These breaches compromised the personal information of more than 1 million Canadians and 90 per cent of the breaches were not reported to the Privacy Commissioner.
Despite their frequency and scale, there is no statutory obligation requiring organizations to report data breaches.
An unreported breach can have serious consequences on unsuspecting Canadians, from social media users to investors. Reliable data on data breaches is hard to come by, but we do know that identity fraud cost Canadians $76 million dollars in 2012. We also know that, to date, one million Canadians have been victims of phishing emails involving their banking information.
As a response to these challenges I have introduced Bill C-475, An Act to Amend the Personal Information Protection and Electronic Documents Act (order-making power). Among other provisions, this bill seeks to implement a mandatory data breach reporting mechanism for organizations: in short, if an organization loses your personal information for whatever reason, and you are put at risk of harm, loss to you, without unreasonable delay.
The benefits are clear for individual Internet users, businesses and society in general. Individual Canadians would be quickly alerted to potential risks when their personal information is involved in a security breach. You would then be able to take immediate action to protect your sensitive data and prevent identity fraud.
As well, this bill means that businesses would be able to count on the expertise of the Privacy Commissioner's office in determining whether public notification, following a breach, would be appropriate. Mandatory reporting to the Privacy Commissioner would also centralize the data gathering on data breaches and better inform the public and private sectors about emerging data security risks and trends.
Both internationally and domestically there is a growing consensus on the need for breach reporting. Laws in Germany, the UK and France already require reporting to privacy or information commissioners and citizens in cases where personal data is jeopardized or compromised. Closer to home, just last week, the Privacy Commissioner of Canada unveiled a white paper calling for the introduction of strong data breach reporting requirements into Canadian law. This announcement follows continued calls for the same from Canadian internet experts such as Michael Geist and consumer advocacy groups such as the Public Interest Advocacy Centre and Union des consommateurs.
It is time to restore the confidence of Canadians in their online privacy. With Bill C-475, legislators can begin the process today of by bringing Canada's private-sector privacy law into the digital age to meet the data security challenges of tomorrow.