Thank you.
My comments are going to focus on some legal aspects of e-commerce, in particular, privacy and security issues that have been, I think, impediments to both business and online consumers.
My message, in a nutshell, is that business needs to get its act together with respect to privacy and security of data. You don't have to look too far, I think, so see why I say that.
Now, some of what I'm about to say, I know, has already been heard to some extent by Industry Canada in earlier consultations, but I think the message merits reinforcement because the problem still exists and Bill C-12, of course, is not yet law.
Back in September of 2004, a report of the Canadian e-Business Initiative identified privacy and security practices as integral parts of a successful e-business adoption strategy. That report came out at a time when Canada implemented the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA, which legislated a model code for the protection of personal information. An element of that code is that personal information must be protected by security safeguards appropriate to the sensitivity of the information gathered.
Seven years later, where are we? Well, we continue to hear about large-scale data breaches, and small and medium size businesses in particular are unsure about what they need to do to comply with the privacy legislation—and I'll briefly mention some studies in relation that—and consumers may be excused for wondering if their personal information is being protected at all, given some of the media reports we hear.
In almost every poll or study taken on the barriers to e-commerce—and I've looked at quite a few of these online over the past few days—the principal concerns raised have been privacy and security of personal information. Consumers want some assurance that their information is going to be protected. Businesses want that assurance as well, and they want to know whether they're meeting adequate standards to protect that information and to protect themselves against possible liability.
Unfortunately, there's not been a shortage of significant data breaches over the past few years. According the Privacy Commissioner of Canada, too many data breaches are occurring because companies have ignored some of the most basic steps to protect personal information, including a failure to implement the most basic security measures. Sometimes breaches are reported; sometimes they're not reported at all; sometimes they're reported only after the business gets an indication that the data may be being used for illegal or unscrupulous purposes. Despite the increased frequency of security breaches, a recent Environics Research Group study of small and medium size businesses indicates that most are complacent about their company's IT safeguards and underestimate the consequences of a security breach.
I just want to share very briefly some of those findings with you, if I may. The small and medium size businesses surveyed were divided about the reasons for their complacency. Most, however, acknowledged that they were not taking adequate security measures or that their existing software protection was not adequate. Many were ignorant of cloud computing. The limited number of SMEs that had adopted cloud computing was driven by their desire to spend less money on IT infrastructure, and they were not confident at all that the provider was ensuring any safety of the information they provided.
Believe it or not, people and organizations still care about privacy and security of information. One estimate is that over 35% of Internet users will not give their credit card information online because of security concerns. That's a large chunk of people who are just not engaging in e-commerce and who could be.
It's also interesting to note that a 2011 study indicated that online consumers, largely thought to be motivated primarily by savings, are often willing to pay a premium for purchases from online vendors who have clear protective privacy and security policies. I think this illustrates a couple of things. First, even in the Facebook era, when personal information is willingly disclosed and when some industry executives have declared privacy to be dead, privacy and security are still identified as major factors in a consumer's decision to do business online. And second, those businesses that do take privacy and security seriously can profit from it.
Our experience shows that sometimes legislative intervention is required to ensure adequate data protection mechanisms are in place, otherwise there may be little incentive to remedy the problem. The downside of that is that any attempt at legislative intervention is sometimes reflexively labelled as costly regulation by some in the business community.
For example, one of the issues to be examined is red tape, which creates barriers to growth. The question is whether regulation is red tape or whether it's actually doing something important.
In the current situation, it's been argued that mandatory disclosure of security breaches may cause unnecessary panic in situations where the chance of the fraudulent use of compromised data is minuscule. If you get too many notifications, that then leads to what one writer calls notification desensitization. What's missing from this rationale is that the aim is to encourage business to have adequate security measures in place so that the frequency of data breaches diminishes. If that happens, there can be no oversensitization, because the event is infrequent. In any case, whatever argument is raised against notification, the priority has to be the giving of notice by the custodian of the information to those affected, so that they can take preventative measures.
I want to turn briefly to Bill C-12, currently before the House of Commons. That bill will require an organization to report to the Privacy Commissioner any material breach of security safeguards involving personal information under its control. Factors related to materiality will include the sensitivity of the information and the number of individuals affected. The organization will also be required to notify an individual of the breach if it's reasonable to believe that the breach creates a real risk of significant harm.
I don't mean to go into any great detail on the mechanics of that legislation, but it seems to me that it at least strikes somewhat of a balance—