BreachExchange mailing list archives
Canada's newly introduced data breach is a start, but it lacks teeth
From: Jake Kouns <jkouns () opensecurityfoundation org>
Date: Sat, 10 Jul 2010 12:34:47 -0400
http://www.scmagazineus.com/canadas-newly-introduced-data-breach-is-a-start-but-it-lacks-teeth/article/174200/ The Parliament of Canada recently introduced Bill C29, also known as an act that amends the Personal Information Protection and Electronic Documents Act (PIPEDA). The new proposal makes it mandatory for businesses to notify consumers when their personally identifiable information (PII) has been breached, and it clarifies ambiguities in the original legislation – but does it go far enough? If a breach falls in the forest… U.S. breaches are front-page news on a weekly basis – but rarely in Canada. Does that mean Canadian companies have better security controls? Are they less frequently targeted by cybercriminals looking for credit card numbers, Social Security numbers and other identity information? Or frankly, does it mean they are sweeping data breaches under the rug because they're not required to report when consumers may be at risk? Meanwhile, there has been a substantial increase in the number of breaches reported in the U.S. since 2003, when California's SB 1386 went into effect, requiring U.S. companies to alert customers in California to potential data breaches. Since then, blockbuster breaches such as Heartland and TJX have been reported, driving 44 other states to follow California's lead – including Massachusetts, which may have the strictest data law in the United States – and encouraging other countries to consider creating and enforcing breach notification laws. Although PIPEDA was first passed in the late 1990s and came fully into effect in 2004, this is the first time the Canadian government has attempted to define a data breach notification mandate at the federal level. A set of voluntary guidelines on dealing with breaches was published in 2007 by the federal privacy commissioner – but those guidelines are not legally enforceable. Disclosure discretion The new law brings a number of important enhancements to PIPEDA, including clarifying when law enforcement agencies and other “lawful authorities” can request non-public information about individuals. It also excludes “business contact information” from PIPEDA's privacy provisions – including name, title, and work contact details such as email address – because this is essentially the same information that's often freely handed out on a business card. The most significant clause would require banks, retailers and other companies to report any "material breach of security safeguards involving personal information under their control.” But the definition of “material breach” remains open to an individual company's interpretation. [..] _______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Get business, compliance, IT and security staff on the same page with CREDANT Technologies: The Shortcut Guide to Understanding Data Protection from Four Critical Perspectives. The eBook begins with considerations important to executives and business leaders. http://www.credant.com/campaigns/ebook-chpt-one-web.php
Current thread:
- Canada's newly introduced data breach is a start, but it lacks teeth Jake Kouns (Jul 16)