The growing problem of identity theft and mandatory breach notification

Last spring I was invited to testify and present with Dr. Avner Levin before the Standing Committee on Access to Information, Privacy and EthicsHouse of Commons, in the context of their study conducted on the “Growing Problem of Identity Theft and its Economic Impact“.

I discussed why there are no real incentives for Canadian businesses to protect the personal information of their employees and customers. I also elaborated on the fact that we should have, in Canada, mandatory breach notification.

If individuals (consumers, employees, etc.) are notified upon a security breach taking place, they may be in a better position to protect themselves against harm, such as identity theft. Once notified, they are going to pay special attention to their financial statements every month, every day, tracking down any suspicious or unauthorized transactions. They are going to monitor their credit through credit-rating agencies, such as Equifax and TransUnion. Mandatory breach notification may also provide businesses with an incentive to establish better data security practices in the first place.

What is the status on mandatory breach notification outside of Canada? Most of the U.S. states have breach notification laws and in Europe, mandatory breach notification is included in the EU proposed reform.

In Canada, Alberta is the only private sector jurisdiction that has adopted mandatory breach notification. The Alberta Information and Privacy Commissioner has confirmed that this breach notification obligation has not only increased the reporting of security breaches, but it has also provided the incentive for businesses to invest in preventive measures such as  providing privacy training to employees. Businesses are more inclined and are more motivated to spend on preventive measures if they are going to have to disclose a breach. In Quebec, there is a consensus that it is needed: in 2011, the Commission d’accès à l’information du Québec published a report in which it confirmed that mandatory breach notification is needed. At the federal level, we’ve had various bills that have been introduced over the last few years, which include this notification obligation: Bill C-29, Bill C-12, Bill C-475 (private members’ bill) and more recently, Bill S-4.

You can read my testimony here.

You can read Dr. Avner Levin’s testimony here.

This content has been updated on October 6, 2014 at 19 h 43 min.