The impact of a privacy breaches in Canada primarily focuses on the damage caused to the individual whose information was compromised and the resulting reputational impact on the business reporting the breach. But there are much better reasons to report suspected breaches of security or privacy to the authorities than just the fear of damaging your good name.
In Canada, breach notification law has been a long time coming. Before the currently considered amendments –Bill C-12—to Personal Information Protection and Electronic Documents Act (PIPEDA) we’ve seen countless iterations of legislation that have resulted in little more than friction at different levels of government and additional delays due to pushback from various parties. One such party is the Information Technology Association of Canada, which has argued that informing victims of breaches would only result in notification “fatigue.”
While most jurisdictions in Canada still lack laws around notification, Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) does explicitly require it, while Alberta law specifically states that if a reasonable person would consider there a real risk of significant harm to an individual as a result of the loss or the unauthorized access to disclosure, the Privacy Commissioner of that province must be notified, who then determines whether affected individuals must be notified.
But aside from the legal pressure and fear of public humiliation, there are five other reasons Canadian businesses should be open about their security practices, and in particular, privacy breaches.
1. You will show maturity and demonstrate responsibility.
Breaches are no trivial matter. They can have a significant impact on the lives of customers, so the better you handle them, the less damage they can cause. Affected individuals appreciate knowing about them as soon as possible, so they can take steps to protect themselves. That kind of responsiveness, along with adequate communication and support, goes a long way towards demonstrating to your valuable customers that your business is still worth their trust.
2. Your actions may garner praise instead of ridicule.
Last year, the Alberta Information and Privacy Commissioner commended the proper action of Best Buy and Air Miles in notifying individuals affected by a security breach.
3. It may actually benefit your brand.
After a security breach was detected on its servers, Hershey’s promptly notified individuals and made light of a peculiar issue that affected only one of their published recipes, thus spoon-feeding the media a positive spin that was just too delicious to resist.
4. It can bring much-needed improvements.
According to a recent Ponemon study, breaches led to increased security budgets (61% of cases), privacy budgets (15%) and staffing (28%). Organizations that previously had an inadequate level of awareness about data collection and management suddenly enforced policies and hired experts, demonstrating a tangible increase in their risk maturity levels.
5. You can get official guidance at no cost.
Provincial Privacy Commissioners do more than investigate privacy complaints. Their experienced staff can discuss the fine details of suspected breaches, advising business owners of legal responsibilities and perhaps more importantly, providing access to—often free—resources to help improve security and privacy practices in your organization.
There are clearly significant advantages to doing the right thing but it’s useful to remember that Canadians do have recourse, even in the absence of specific breach notification. Recent class action suits filed against DaimlerChrysler, National Bank and Durham Region Health demonstrate that even if the information risk preparedness of many organizations operating in Canada isn’t quite where it should be, affected individuals can and will hold them responsible for mismanaging personal information.