Transparency in Canadian IT Security
There are no breach notification laws in Canada. Believe it or not, businesses in Canada are not obligated to disclose any major security breaches. Instead, they are only required to employ reasonable security measures, and, working in the security industry, I can only imagine who is left to interpret what is considered reasonable. The Canadian Internet Policy and Public Interest Clinic is requesting that changes be made to the Personal Information Protection and Electronic Documents Act (PIPEDA) to force businesses to inform those whose personal information may have been compromised as a result of a security breach.
In the United States, there are 30 different states that have their own versions of breach notification laws, but unlike Canada, there is no national privacy law, leading to discrepencies between states. Although the path being taken by Canada has created a national standard, something that avoids the patchwork-like implementation seen in the U.S., without specific legislation that requires the release of such information, security breaches that affect consumers will remain company secrets.
Larger companies are obviously at a higher risk, with their repuations on the line and the logistics of reporting any large-scale security breach being difficult to develop and have in place. But with more and more sensitive information being stored digitally, the likelihood of an individual being affected by a security breach is increasing, and it’s important that Canadians are protected. Too often it seems to be a reactive solution rather than a proactive solution.
With so many companies in Canada operating in the United States, a large percentage of Canadian businesses are already affected by state laws regarding data breach notification. This makes it more likely that companies will provide little resistance to similar legislation in Canada.