Canada's newly introduced data breach is a start, but it lacks teeth

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.scmagazineus.com/canadas-newly-introduced-data-breach-is-a-start-but-it-lacks-teeth/article/174200/

The Parliament of Canada recently introduced Bill C29, also known as
an act that amends the Personal Information Protection and Electronic
Documents Act (PIPEDA).

The new proposal makes it mandatory for businesses to notify consumers
when their personally identifiable information (PII) has been
breached, and it clarifies ambiguities in the original legislation –
but does it go far enough?

If a breach falls in the forest…

U.S. breaches are front-page news on a weekly basis – but rarely in
Canada. Does that mean Canadian companies have better security
controls? Are they less frequently targeted by cybercriminals looking
for credit card numbers, Social Security numbers and other identity
information? Or frankly, does it mean they are sweeping data breaches
under the rug because they're not required to report when consumers
may be at risk?

Meanwhile, there has been a substantial increase in the number of
breaches reported in the U.S. since 2003, when California's SB 1386
went into effect, requiring U.S. companies to alert customers in
California to potential data breaches. Since then, blockbuster
breaches such as Heartland and TJX have been reported, driving 44
other states to follow California's lead – including Massachusetts,
which may have the strictest data law in the United States – and
encouraging other countries to consider creating and enforcing breach
notification laws.

Although PIPEDA was first passed in the late 1990s and came fully into
effect in 2004, this is the first time the Canadian government has
attempted to define a data breach notification mandate at the federal
level. A set of voluntary guidelines on dealing with breaches was
published in 2007 by the federal privacy commissioner – but those
guidelines are not legally enforceable.

Disclosure discretion

The new law brings a number of important enhancements to PIPEDA,
including clarifying when law enforcement agencies and other “lawful
authorities” can request non-public information about individuals. It
also excludes “business contact information” from PIPEDA's privacy
provisions – including name, title, and work contact details such as
email address – because this is essentially the same information
that's often freely handed out on a business card.

The most significant clause would require banks, retailers and other
companies to report any "material breach of security safeguards
involving personal information under their control.” But the
definition of “material breach” remains open to an individual
company's interpretation.

[..]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php