Mr. Speaker, our government is committed to promoting the interests of Canadian consumers and the protection of their private information.
In an increasingly digital world, it is important that we have strong privacy protections in place to ensure organizations are treating the private information of Canadians appropriately. Many of these protections are already found in the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA.
However, a lot has changed in the more than 13 years since PIPEDA came into effect. Our government is taking important steps to ensure organizations are accountable for how they handle the personal information of their clients and customers in today's digital world.
That is why on April 8, we tabled Bill S-4, the digital privacy act. The bill introduces new measures to update our private sector privacy legislation, which sets out specific rules that businesses and organizations must follow whenever Canadians' personal information is lost or stolen.
Recently, we have seen a disturbing example of this problem south of the border with Target Corporation. Just before Christmas last year, Target learned that malicious software had been installed on the company's computer systems, allowing the personal information of some 70 million customers to be stolen, including 40 million payment card records.
It is because of situations like these that we must continue to ensure Canadians' personal information is safe. Data breaches can happen in many different ways and to any type of organization, large or small. Data breaches can result from improper disposal, for example, of paper documents sent for recycling instead of shredding or computers resold without scrubbing hard drives clean, or it can be stolen through sophisticated cyber attacks like those experienced by Target.
Unfortunately, this is a growing problem. Last year saw an all-time high for the number of data records lost or stolen worldwide. The Verizon data breach investigations report estimated that in 2012 between 575 million and 822 million records were compromised in data breaches.
We know that cybercrime is a growing problem in Canada. Last October a study reported that cybercrime cost Canadians some $3 billion over 12 months, up from $1.4 billion the previous year.
That is why our government has already put a number of significant measures in place to combat cybercrime and protect our digital infrastructure, such as Canada's cyber security strategy. In addition to this, Canada's anti-spam law will begin to come into force July 1, later this year. This law will help Canadians deal with unwanted commercial emails, and will also protect Canadians from cyber threats, like malware and fraudulent websites that seek to steal their personal information.
These measures are significant, but more is needed. We must ensure organizations have strong incentives in place to implement strong data security. Currently in PIPEDA there is no obligation for businesses and organizations to inform customers and clients when their personal information has been lost or stolen. This means if a company loses people's credit card information, that company is not obligated to tell them. With the digital privacy act, our government is proposing to correct this.
Stolen data can be used to create false identities that are used in criminal activities. They can be used to hack onto online banking services. In the wrong hands, lost or stolen health information, employee records, even criminal records can create countless problems to those who have had their personal information compromised.
I also want to state, Mr. Speaker, that I will be splitting my time with the member for Desnethé—Missinippi—Churchill River.
We believe it is up to all organizations to put in place the safeguards to protect the personal data they have collected from their clients and customers. This is a responsibility that most take very seriously. However, with the changes we have proposed, if a company has its computer systems hacked and believes personal information has been stolen or if that information has been lost inadvertently, the company will need to take a number of steps.
If the company determines that the breach poses a risk or harm to individuals, it will need to notify the Canadians affected and make a report to the Privacy Commissioner of Canada. Organizations will also be required to document and keep a record of the event, including the result of its risk assessment. This would be required for every breach, even if the company did not think the breach was harmful. The organization would have to provide these records to the commissioner upon request, providing oversight and holding organizations accountable.
Let me provide an example. Say that an organization determines that a laptop containing customer personal information has been lost. It will be required to make a record of this loss. If the breach involves unencrypted sensitive personal information such as credit card numbers, other financial or health information, for example, it would pose a real risk and potential significant harm to those involved. As a result, the organization would be required by law to notify the customers who were impacted.
The company would be not only required to tell customers when it lost information, it would also be required to report the loss to the Privacy Commissioner. The commissioner may then request a copy of the company's records to see if there is a history of similar losses that would be a cause for concern. The Privacy Commissioner would then have the option of opening an investigation into the matter.
It should be clear to all members in the House that implementing a requirement for mandatory data breach notification is a significant improvement to our private sector privacy laws. Our government believes there needs to be serious consequences for any organization that deliberately breaks the rules and intentionally attempts to cover up data breach. The changes that our government has proposed will also make covering up a data breach an offence. In cases of deliberate wrongdoing, an organization could face fines of up to $100,000. To be clear, it will be a separate offence for every person and organization that is deliberately not notified of a potential harmful data breach and each offence will be subject to a maximum $100,000 fine.
The digital privacy act would address the concerns posed by data breaches and has received good reception so far. In fact, the Privacy Commissioner commented that she welcomed the proposals in this bill. She said that it contained very positive developments for the privacy rights of Canadians. Even the member opposite for Terrebonne—Blainville said, “We have been pushing for these measures and I'm happy to see them introduced. Overall, these are good...steps”.
Our government has taken a balanced approach to the responsibilities placed on businesses and organizations, while protecting Canadian consumers by giving individuals the information they need to protect themselves when their information has been lost or stolen. The digital privacy act demonstrates our government's commitment to providing Canadians with the confidence that their privacy and personal information are protected.