Industry Committee on Feb. 17th, 2015

Yes, thanks.

To reiterate in a little more detail, Scott is correct in highlighting that the law has been in effect for over a decade now. It's an ongoing process. Organizations are constantly upgrading their security procedures and practices, and their technology. All of us are reading about technological changes every day, and those pose new challenges for marketers and for businesses every time there is a significant development. Businesses need to stay on top of their game, and they work constantly to do so. They have been doing that on the basis of PIPEDA since the early 2000s.

In terms of small businesses, the only thing I would add is that there are elements of the law that present concerns to us. I missed the introductory remarks, but with regard to the record-keeping requirements, for example, there is some concern that if they're not qualified a bit more, that could pose a burden for businesses generally, but particularly small businesses, in terms of having to keep records relating to a breach.

There are provisions under clause 7 that provide exceptions, for example, for protecting for fraud, and it was discussed in the previous session. There is no provision to manage a cybersecurity hack, for instance. An example is the Waledac. It was a botnet that attacked large numbers of computers, and it had the ability to send 1.5 billion spam e-mails a day. The only way to counteract that is to collect information from those computers that are hacked and then provide advice to those individuals on how to solve that problem. It has to happen in a fairly short period of time; you wouldn't have time to collect the consent to do that. For businesses to operate and share information and collect information in real time, they do need some kind of exception to operate.

If I could just go back to the cybersecurity issue for one moment, the whole intent of that requested amendment was to protect consumers and individuals. In other words, it's those consumers and individuals whose information is at risk, and we're just suggesting that to be able to handle that it's not in their best interest to ask for their consent in the first place. It's in their best interest to handle the problem.

Thank you for the question.

The overcollection I was referring to was, I think, a likely outcome of proposed section 10.3 in the bill that requires organizations to “keep and maintain a record of every breach of security safeguards involving personal information under its control”. Personal information is a very broadly defined term. It's really any information about an identifiable individual and there can be frequent small breaches, technical breaches happening every day. I will give a couple of examples. Let's say a misprinted address label goes out in the mail that includes in the address window the party's age. That's a breach, a piece of personal information tied to an identifiable individual. Let's say you're in a store and the clerk leaves somebody's order printed out on the counter while he turns to get the phone and it's visible to other consumers and all that may have been disclosed was somebody's shoe size. That's a breach. A record would have to kept for each of them under this law and retained indefinitely until the OPC requested it.

I think that's our concern, that there's no threshold here of materiality and I think because of the concern that this provision is tied to an offence provision, there will be overcollection. Businesses will err on the side of caution and will record everything in all the stores and all the call centres everywhere across the country.

Yes. I think we already have standards in this bill and in previous bills that could be helpful in terms of talking about, for example, we think it's certainly reasonable to keep records if it's reasonable that the breach would create a real risk of significant harm to an individual.That's already proposed for notification of individuals and the Privacy Commissioner. I think that would be a good standard in terms of materiality for the record keeping required. You'd know that they meant something and there was some real risk of harm.

To answer that question, yes, that's part of any company's process in evaluating a breach: what is the impact of the breach? They all have internal policies on how to manage that. Financial institutions would have a very rigorous set of policies, whereas a small business may have something very straightforward, depending on the type of information they collect.

Individual organizations have a lot at stake in terms of ensuring that they properly weigh the impact of any breach on their customers. Their most important assets as business organizations are their customers, so making that sort of evaluation is one of the most important functions an organization has to take on when there is a breach situation. They are in the best position to evaluate the level of risk to their customers, and then to take appropriate action.

I believe that the law as drafted largely has that component constructed in an appropriate way. There is provision for reporting also to the Privacy Commissioner, which is an additional component that supports, I guess, the safeguards under the new provisions of the law.

If I could add to that, I would say that the other thing working here is that in all cases, this is being overseen by the Office of the Privacy Commissioner. At first instance, a business may make the call as to whether something creates a significant risk of harm, but ultimately that will be up to the OPC to review at some point, or a court, and if organizations get it wrong, that's an offence under this act. They're subject to fines on summary conviction, so there's a lot of incentive there for them to get it right.

I would suggest that it will lead to an appropriate level of reporting, and reporting those breaches that should be reported both to the Privacy Commissioner, and most importantly, to affected consumers.

I think, as we heard from the Privacy Commissioner himself this morning, the experience with the breach of reporting regime in Alberta and with the voluntary regime in the rest of Canada shows that companies are tending to over-report.