I'd like to take you to tab 4 of our materials, which was the transcript, so there's a little déjà vu here. It's at tab 4, page 4, in both the English and French versions, towards the bottom of the page. We don't disagree--which is a roundabout way of saying we pretty much agree--that there should be a duty to notify. The problem isn't whether there should be a duty to notify, or whether people have the right. The problem is the threshold. When you're dealing with a principle-based statute with the breadth of PIPEDA, it's almost impossible to craft a meaningful threshold. This is something--if you look at the bottom of column two--which the commissioner acknowledges quite explicitly. She says, “we're in favour of the principle. The problem is in knowing how to implement it.” She continues on to talk about the complexity and the difficulty in trying to transpose the American remedies to Canada. “To whom do you give notice? What would be the scope of it? Would it concern all the information, or only where there's significant risk? Who will bear the cost?” If you turn over to page 5, midway down, she says that she recommends there be a breach notification provision. The exact wording, however, is quite honestly a challenge, and then there's a discussion about needing some sort of threshold.
With respect, we would suggest that you consider that perhaps there be some sort of statement of principle in PIPEDA, that there should be notification with some sort of threshold, but then again, we would suggest, particularly with complex industries like ours, that the detail of exactly what the threshold is going to be and how it's going to be implemented be left to our governing statutes and to those who really have expert knowledge of how we function. You can put rules. It's very difficult to put in rules that are going to apply to banks and to a small business. There's another passage in here where we have the commissioner and assistant commissioner talking about the CIBC breaches. You can have rules upon rules, but sometimes things are going to happen. They said CIBC did everything right. They had great systems. They had great agreements, but sometimes these things happen.
I would suggest--and we would I think agree on this--that it be left to those with expert knowledge of our very complex industries.
