Bill C-29 (Historical)

I think that if every time a USB key went missing, there were requirements to disclose, then yes, you would find that organizations would be spending a lot of time disclosing. However, if we look back at the Bill C-12 and Bill C-29 standard, that's not the standard we talked about. It set a material breach as the standard.

You can debate whether or not that's the appropriate standard, but at a minimum it gets us at a number of breaches that this law will not. Moreover, it does so in a way that I think was good for companies too, because rather than companies being faced with this either/or of going to the expense and potential embarrassment of simply disclosing or not, it said as an intermediary step, let's discuss this on a confidential basis with the Privacy Commissioner's office and determine whether or not it warrants that broader disclosure.

Frankly, that was a good thing for organizations to potentially avoid having to make those broader disclosures, in some circumstances, and it provided the comfort of ensuring that users knew that, at a minimum, we had an advocate, the Privacy Commissioner, who was going to be made aware of these circumstances.

It's puzzling to me why this was removed in favour of a process that, frankly, does less to protect Canadians and, ultimately, actually can create larger costs for companies as well.

Thanks for raising that. It's worth noting that this whole notion of security breach disclosure actually originated out of California, with the idea of creating sort of the perfect world of incentives for companies to do a better job of securing the information, because they don't want to have to go through the cost and potential embarrassment of disclosure. At the same time, it creates incentives or protection for users because they become aware of these disclosures when they happen.

What we've got under Bill S-4 is such a high threshold, and I think Ms. Lawson referenced this as well, that if the standard is only a real risk of significant harm and we don't have big penalties associated with non-disclosure to begin with, at least if you're a larger organization, in many instances, I think it's going to be quite rational, frankly, for an organization not to disclose. They're going to ask, first, what's the risk that anyone will ever find out about this? Second, if they do happen to find out about it and someone shows that there was a real risk of significant harm, then we will face a penalty. But even there, the penalties are relative low.

So what the California law does is to say that we want to ensure that if we're going to err on one side or the other, it's will be to err on the side of trying to mitigate against identify theft, to err on the side of ensuring that there is better security, and by lowering the threshold. We tried to do that a little bit in Bill C-12 and Bill C-29 with the two-step process, so that at least you are made sure that the Privacy Commissioner would be aware of the circumstances where there's a material breach. But in doing away with all of that, I don't think it's just a fear that breaches will occur in Canada. I think these should be expected. And if you asked many Canadians, they would tell you, “Boy, I should have been told about that”. And yet they won't be because companies are going to err rationally, based on the way this law is drafted, on the side of not disclosing it.

Sure. I'll do that. I'd also like to just note a couple of things. The commissioner did not appear before the Senate committee on Bill S-4. Because of the long delays in getting a commissioner appointed at that time, there was no commissioner, but people from that office were in a position to appear because it had been studied. So the commissioner actually didn't appear on Bill S-4.

In terms of lengthy study, with respect, let's be clear. The committee began a review of this bill in November 2006, and by May of 2007 it released its report.

We got first reading of Bill C-29 in May 2010. A second reading took until October. There were never any hearings held on Bill C-29.

The next bill that was introduced was Bill C-12, which was the second attempt at this bill. It sat at second reading for two years without moving forward. There were no committee hearings held on it.

We finally now have Bill S-4, on which there were two sets of hearings. Four days were allocated to this piece of legislation within the Senate: one day for the minister to appear; another day for clause-by-clause; two days for hearings. So if we're going to talk to witnesses about not having appeared, frankly, there were very, very few witnesses who had the opportunity to appear at all. This is, with all respect, not a well-studied bill. It is a bill that has now come through three times, and in most instances there has been no study whatsoever. When the Senate had the chance to hear on this bill, there was not even a privacy commissioner in place to deal with it, due to the long delay in finding a new commissioner to replace Commissioner Stoddart and later acting commissioner Chantal Bernier.

With respect to the commissioner's support, yes, I too can cherry-pick particular comments from the Privacy Commissioner about where the commissioner supports the legislation, but I can also note that the commissioner's office has been consistent in saying that it finds it problematic with respect to voluntary disclosure, and yet that hasn't changed, and in identifying a number of other improvements.

So the question is this. Is this a well-studied bill that we ought to get on with? With respect, it is both not well studied and ought to be fixed. Canadians deserve better.

My concern with the security breach disclosure provisions, which I think quite clearly are long overdue—we've been passed by by so many other countries and jurisdictions on this—is frankly that we had it better in the earlier iterations of this bill, in Bill C-12 and Bill C-29, which, as I'm sure you know, created a two-step process.

The first step is notification to the Privacy Commissioner of a material breach, and that, of course, didn't include the necessity of the real risk of significant harm. It was more a matter of the breach itself.

Then you get into the secondary question of under what circumstances you go down the much more challenging avenue of having to disclose this breach to everyone who's affected, recognizing that there may be circumstances in which that's appropriate and others in which it's not.

What we've done here, by removing that and creating a higher threshold for all disclosures, I think means that systemic breaches don't get disclosed. It means that, many times, important material breaches simply don't get disclosed, and organizations that have underlying problems don't have to fess up at all.

I think we recognize that in some circumstances we have the incentives for organizations not to disclose because of the costs and the embarrassment factor. We also want to ensure that we don't have so many disclosures that consumers are receiving notifications on a daily basis, and they simply tune all of that out.

There is a balance to be struck, but I think we did a much better job, the government did a much better job, of striking that balance, particularly for things like systemic breaches within an organization, by saying, “Surely that's the sort of thing that we would want the Privacy Commissioner's office to know about”, and yet we've effectively removed that in this bill. It's hard to understand why.

I will start. Thank you for the invitation.

I'll give the first part of my presentation in French and the second, in English.

I'd like to start by discussing the legal framework governing privacy protection and the response of business. Despite the legislation that exists, the Personal Information Protection and Electronic Documents Act, or PIPEDA, companies and organizations have no real incentive to comply with the act and implement appropriate security measures. What's the worst that could happen from a company's perspective? What are the risks if they don't comply with the act? Not much. The worst case scenario is that their reputation might be tarnished. For example, if a complaint is made, and at the end of the investigation, the commissioner decides to release the company's name, then obviously, the company's reputation might be sullied. That very seldom happens, though.

There is another potential risk. When an individual is notified by the commissioner that the act was in fact breached, that person can take the company to Federal Court for damages. The court has made a few such rulings in the past decade. In five to ten cases, the Federal Court awarded small amounts. In some cases, it awarded no damages, and in others, $5,000.

Last fall, in its ruling on Chitrakar v. Bell TV, the Federal Court awarded $20,000 in damages, and that was a first. Is this the beginning of a new trend? Perhaps. Only time will tell. One thing is for sure: not everyone has the means to take legal action against a company to obtain small amounts in damages. In privacy violation cases, the amounts often range between $5,000 and $10,000. Engaging in a court battle is a complicated and painstaking process.

Furthermore, at the federal level, no incentives exist with respect to class action lawsuits over privacy violations, which have the potential to improve compliance. Incentives do exist in other jurisdictions. And in many cases, companies comply with privacy legislation as a result. Just think of the recent security breaches. Last January, a security breach occurred at Human Resources and Skills Development Canada. In April, a security breach occurred at the Investment Industry Regulatory Organization of Canada, or IIROC. And class action suits were launched in relation to both of those breaches.

In the case of IIROC, a portable drive containing the financial information of 52,000 brokerage firm clients was lost. The damages sought were $1,000 per individual. That has the potential to motivate companies to comply, but under PIPEDA, that isn't an option. The legislation contains no such provision to motivate companies. And even if it did, a class action lawsuit isn't necessarily appealing because authorization to proceed isn't always granted.

In the Quebec case of Larose c. Banque Nationale du Canada, the Superior Court made a ruling in 2010. A typical breach, it involved a lost laptop containing the financial information of many clients. One of the clients was not very happy and took the National Bank to court. At the authorization stage, counsel for the complainant had to show that, as a result of the security breach on the bank's part, actual identity theft had occurred. The court stipulated that the fear of identity theft alone did not entitle someone to compensation. Had there been no evidence of actual identity theft, the court would not have granted authorization for a class action.

That tells you just how high the bar has been set. Proceedings of this nature are not straightforward. And the damages aren't very high. So what's left? If you can't seek compensation because you're afraid you were the victim of identity theft as a result of a security breach, there is little else you can do.

Let's come back to the legislation concerning security measures. Companies are advised to adopt security measures based on the level of sensitivity of the information. Even when companies contract out services to a third party, the legislation says they are still responsible for the information and must ensure its protection through the contract. In reality, what we often see is companies using cloud services or third-party contracts. They contract the service out and then turn a blind eye to what goes on.

I would like you to consider a provision in a piece of Quebec legislation that I see as very useful. It imposes an additional obligation on companies preparing to give or transfer personal information to a third party via a contract. I am referring to section 26 of An Act to Establish a Legal Framework for Information Technology. It reads as follows:

Anyone who places a technology-based document in the custody of a service provider is required to inform the service provider beforehand as to the privacy protection required by the document according to the confidentiality of the information it contains, and as to the persons who are authorized to access the document.

The person who entrusts the function to a service provider and transfers the data to the provider, whether via cloud computing or some other means, has an obligation to tell the service provider how to protect the information in question. I think incorporating a similar provision in our legislation could be useful.

I am active in the protection of privacy and personal information. There is a prevention component to my work. That entails advisory services, compliance, training, policy development and so forth. I am also involved in crisis management. I help with the management of security breaches, provide assistance when complaints are made to privacy commissioners in various jurisdictions and give advice related to privacy class action lawsuits. Clients rarely ask me to do any prevention work for them unless they have had some sort of crisis first. That shows that companies aren't very tuned in to the issue. And yet, the legislation exists. Are they motivated to comply with the act? Not especially, because they wait until a security breach has occurred before taking action. Not until a crisis arises do they realize how costly it can be and that they might do well to invest in prevention.

It's also interesting to see just how many resources are being deployed to compliance and prevention around the coming into force of Canada's new anti-spam legislation. That piece of legislation is being taken seriously. It includes liability provisions that apply to administrators, executives and employers. And since the penalties it sets out are quite stiff, companies take it seriously. Ever since its coming into force was announced, the legislation has monopolized my practice almost full time. Is spam a bigger problem or greater evil than security breaches or identity theft? I doubt it. Why, then, is the situation the way it is? What are we waiting for to motivate companies to invest in prevention?

I have one last point. My second part will be very short.

Some studies show that most security breaches are the result of human error. I am referring to two studies, in particular, that were conducted two years after the requirement to report a security breach was imposed on companies. The first was done by Alberta in 2012-13 and lists all the notifications and security breaches. According to that report, human error was at fault in many of the cases. The second study was done by the Ponemon Institute in 2013 and says that in 33% of cases, employee error was to blame.

That, too, shows that companies aren't taking employee training around privacy protection seriously. Very often, the security breach resulted from a laptop being left in a car. Was the employee aware that behaviour posed a risk? Was a relevant policy in place? Was appropriate training available? The jury is out.

I know time is running. The second part is going to be quick.

I want to raise the fact that currently under PIPEDA we don't have mandatory breach notification, and I believe that this may well play an important role in addressing some of the financial harm that may be triggered in the case of identity theft following a security breach.

If individuals, whether they be consumers, employees, are notified, it will help them to better protect themselves against harm, such as identity theft, because once they're notified they're going to pay special attention to their financial statements every month, every day, tracking down any suspicious or unauthorized transactions. They're going to monitor their credit through credit-rating agencies, such as Equifax and TransUnion. It will also provide businesses with an incentive to establish better data security practices in the first place.

What's the status on mandatory breach notification outside of Canada? We have it in Europe and in the United States. Most of the states in the U.S. have breach notification laws. In Canada, Alberta so far is the only private sector jurisdiction that has this law, and they prescribe fines up to $100,000 for businesses. They have realized that this breach notification obligation in their law has increased the reporting of security breaches, and it has also increased the privacy training. Businesses are more inclined and are more motivated to spend, because they realize that it's going to be an obligation to disclose the breach if there is such a breach.

In Quebec there is a consensus that it is needed. In 2011, la Commission d'accès à l'information du Québec published a report in which they said that this is needed. It's a matter of time. It's in the hands right now of the legislature, but we will have also this obligation in Quebec shortly, hopefully.

At the federal level, we've had various bills that have been introduced: Bill C-29, BillC-12, Bill S-4 recently, and Bill C-475. The latest one is Bill S-4. Will Bill S-4 do the job if it becomes law? It's better than having nothing, that's for sure. Maybe it's not perfect, but it's better than having nothing.

I guess it would create the incentive for businesses to disclose, and I think we need to trigger that incentive. In an ideal situation there should be clear monetary penalties for not reporting security breaches to individuals and to the privacy commissioners. There should be a duty to report a breach as soon as possible. I'm cautious with providing fixed delays, because I've been on the other side. Sometimes there's a breach and you need to do the investigation before you start notifying individuals and privacy commissioners, because you need to know exactly what happened and what needs to be told or not told.

The Privacy Commissioner, I believe, should be given the power to order an organization to report a breach to customers. These orders should be made public and the organization should be named. I think that would create the necessary incentive for them to invest in preventive measures, which would be beneficial to address a financial harm resulting form identity theft.

This is my last point. It would not be a bad idea to have a uniform breach notification law in Canada. Various systems could become problematic when there's a breach. I know that a few years ago, the Uniform Law Conference of Canada drafted a breach notification act. Maybe it could be used as a tool.

Thank you. I think my time is up.

I think that work has to continue to progress. It may look like we spent a lot of time on international issues, which may perhaps seem glamorous and so on, but it wasn't that kind of choice. Because of the way the Internet functions, because of Canada's economic position, with so much on the Internet.... First of all, we're big users of the Internet and we're big users of the social network. A lot of our content comes from the United States or from France—even the United States for French-speaking Canadians. We have no choice but to engage internationally.

If you want to enforce our law against somebody who's sitting on the other side of the world, you need to have the ties with the enforcement agency on the other side, and you must have the credibility and have built up a relationship ahead of time. That's why another bill that is currently before the House of Commons.... Well, actually it is in Bill C-29, which went to the Senate, that I have extended power to share information and to enter into working relationships with other agencies and other organizations that do similar work in order to further Canadian law.

That's basically what we're trying to do, ideally: to better global protection for Canadians as their personal information circles around the globe.

That's a very nice question. Thank you.

We may take you up on that on further reflection and send those recommendations back to you. I'm sure our office would be pleased to do so, but let me offer a few suggestions right off the bat, if I may.

The first thing I could say is to echo what has been the key message of the commissioner and her international counterparts, which is to impress upon all organizations--but especially model organizations and world trendsetters like Google--that they must take proactive measures to avert risks before the deployment of products and services occurs. This is a key message; if you were to echo it, I think it would be very helpful.

There are other things being contemplated by Parliament right now that would go a long way in assisting in where we go from here. One of those is to afford the commissioner with the powers and the authority necessary to share information about ongoing investigations with her international counterparts, so that she can compare notes with her German and U.K. and Irish and Australian colleagues and discuss what we have found, what they have found, and what we need to do collectively to stop something in its tracks.

Currently, she cannot do that, but Bill C-28 would afford her with the powers to share and exchange information and collaborate even more meaningfully than she can now with her international counterparts to deal with these global issues.

Another change going from here currently to Parliament would be to give her discretion to choose which complaints she goes forward with. Right now she must investigate all complaints, which takes an awful lot of resources, as you know. If she were afforded with the discretion to set priorities and decide where the real risks are, to take some complaints or not investigate other complaints, then she could afford and allocate resources much more meaningfully to get at the big risks--such as Google, in this example--and allocate her resources accordingly. That discretion would help.

Finally, another change before Parliament is Bill C-29, the amendments to PIPEDA. As you know, these amendments would make it mandatory for organizations to notify of breach. This would go a long way towards bringing these instances out into the open to be able to deal with them.