News

Last year, when Canadian Imperial Bank of Commercesubsidiary Talvest Mutual Funds was forced by the federal privacy commissioner to reveal it had lost a file containing confidential information on almost half a million clients, Jeff Green must have felt a shudder of sympathy mixed with schadenfreude. Such a public drubbing over handling of private data is the nightmare of any chief privacy officer — especially one who works for a bank.

But for Mr. Green, the privacy czar at Royal Bank of Canada, it's not accidental gaffes but targeted attacks that cause the most concern. "We have to ensure that the information clients have given us is safeguarded, and is only used for the purposes for which they have given it to us," he says. Working in concert with RBC's chief information security officer — as well as privacy "designates" or "champions" at every business unit and branch who report to his team — Mr. Green is responsible for putting in place policies that protect clients' data and training employees in these procedures. Recently, his team launched a Phishing Resource Centre to help customers avoid tricksters digging for their financial information. Scammers who go "phishing" use official-looking websites or e-mails to try to get customers to supply their personal or account information.

High-level executives charged with keeping consumer data safe from scammers and snoopers are increasingly common at major Canadian companies, especially those with vast databases of personal client information, such as financial institutions, utilities and telcos. And, according to a report by Forrester Research in Cambridge, Mass., their efforts are making Canadian corporations privacy leaders.

"The Privacy Commissioner in Canada and individual provincial commissions have highlighted privacy as an issue, and so consumers are more aware of it and are pushing for it more," says Jennifer Albornoz Mulligan, the report's author. As a result, among the more than 2,000 organizations in five European and North American countries surveyed, Canadian companies came out on top as most likely to implement comprehensive privacy programs, educate employees about privacy and track privacy policy breaches.

Forrester found that 84 per cent of Canadian organizations — the highest proportion — reported having formal privacy programs involving representatives from multiple departments, compared with fewer than half the companies in France. As well, nine out of 10 Canadian organizations polled said they go beyond personal data to cover corporate information in their policies — again, the highest percentage among the countries studied.

Ms. Albornoz Mulligan notes that privacy laws vary around the world, but Canada benefits from having national legislation. The Personal Information Protection and Electronic Documents Act, introduced in 2001, applies to most businesses that collect, use or disclose personal information. The act requires that someone be accountable for implementing and monitoring policies covering the reasons for obtaining the information, ensuring consumers have consented to the data-gathering and safeguarding against unauthorized disclosure.

Today, chief privacy officer responsibilities are often tacked onto those of the head of information technology or security, but Ms. Albornoz Mulligan expects to see more dedicated privacy czars at public companies. "People have been mostly concerned about security, so privacy was given short shrift. But a lot of solutions to security problems are technology-based, while privacy is more about process and education than technology." That said, she adds, "If you don't have good security, you can't have privacy."

While large Canadian companies, prompted by a slew of embarrassing breaches, have been putting more of a focus on their privacy policies, they're reluctant to come clean if their system has been hacked or customer data lost. And that, says Michael Geist, a University of Ottawa professor specializing in Internet and e-commerce, is a flaw in the Canadian privacy laws. Prof. Geist believes the commissioners are too timid in disclosing the subjects of privacy complaints, pointing out that in the U.S., when the Federal Trade Commission launches an investigation into a privacy violation, the announcement of that fact alone serves as a deterrent to others. "The Canadian law provides scope to disclose, but it's done only in rare cases," Prof. Geist says.

Most U.S. states require companies to inform clients if the security of their private information has been compromised, whether by a hacker or an employee who lost a laptop, and that means notifying every individual affected. Such mandatory disclosure doesn't exist in Canada, says Prof. Geist, and what we do find out often comes through leaks to the media, such as the infamous case of CIBC employees unwittingly faxing customer information to American and Quebec businesses. Ms. Albornoz Mulligan agrees that having to disclose a data breach would serve to make Canadian companies more cautious. "We've seen that public-shaming approach work very well here," she says, "plus it costs the companies money to send out all those letters."

These and numerous other discrepancies between Canadian and U.S. laws are one of the key challenges Canadian organizations report, Ms. Albornoz Mulligan says. "Canadian privacy law puts a lot of restrictions on the data, but U.S. laws like the Patriot Act say that government can have a lot of access to private data. If Canadian data gets transferred to the U.S., there are a lot challenges. The laws are fairly clear, but they directly conflict with each other."

The international differences haven't been a problem for RBC, says Mr. Green, because the company has used global requirements in building its privacy program. In fact, he finds most complaints are rooted not in RBC actions but the public's ignorance of how Canadian privacy laws work. "Clients often complain that they're asked for information from one RBC entity when the information has already been given to another part of RBC," he says. But because the legislation requires the client to consent any time his personal information is gathered or shared, RBC units can't share that data. It makes for extra work, he says, but better safe than sorry.

By The Numbers

• $40.9-million -- Amount in U.S. dollars that U.S. retailer TJX Cos. Inc. owner of Winners and HomeSense, agreed to pay in a settlement with Visa over a breach that exposed millions of client card numbers; a proposed settlement with MasterCard would cost TJX another $24-million.
• 3.4 million -- The number of Bell Canada customers whose personal information was stolen this past February.
• 49 -- The percentage of German corporations that employ chief privacy officers

Source: Forrester, staff