Skip to main content

Molly Reynolds is privacy counsel at Torys LLP

The year isn’t over yet – but the trend is clear. With new security flaws being discovered in software every day – on top of plain old human negligence and nosiness – our data are at more risk than ever.

It’s in this context that the federal government enacted privacy-law amendments requiring companies to disclose data breaches that pose a risk to an individual.

Story continues below advertisement

These regulations have just come into force. And their intent is good. We deserve to know whether our privacy is being put at risk. But as we’ve seen in other jurisdictions with similar disclosure requirements, “oversharing” comes with risks of its own – to the public and the privacy regulator itself.

Companies will be overly cautious

The law establishes a threshold: data breaches must pose a “real risk of significant harm” to those affected to warrant disclosure.

But the law is light on details and new guidance from the federal Privacy Commissioner does little to help companies identify risks and weigh potential harms against this threshold.

Although the internet is midway through its fourth decade, the “new reality” – in which hackers and data brokers freely trade our data online – is relatively new. Polls show Canadians are concerned about the safety of the information they give to businesses. In this context, companies are not likely to take risks. They will err on the side of caution, disclosing even minor breaches that may not meet the risk-based standard.

This type of oversharing may please privacy advocates, but it comes with adverse consequences.

Regulators will be overwhelmed

In other jurisdictions where data-breach notification requirements have been implemented, regulators have seen a surge in disclosures – so much so that their own processes are overwhelmed.

Just look across the Atlantic. After the European Union’s General Data Protection Regulation (GDPR) kicked in this spring, the United Kingdom saw a surge in notifications. As many as 500 calls a week were made to their breach-reporting phone line alone. According to the U.K. Information Commissioner’s Office, as many as one-third of these breaches were “not reportable” under the GDPR’s notification threshold.

Story continues below advertisement

In the absence of clarity from the regulator, organizations decided that it was better to be safe than sorry. That is why, on its website, the Information Commissioner’s Office now indicates – in bold – that organizations do not need to report every breach, and provides substantial resources guiding organizations in their application of the threshold.

Back in Canada, the Privacy Commissioner has said his office did not receive any additional funding to support the new breach-disclosure rules and impending wave of reports. A handful of employees will need to wade through reports of all kinds, trying to identify those serious enough to merit attention. But oversharing poses a threat to more than the Privacy Commissioner’s overworked employees. It poses a threat to individuals whose data have been compromised – the very people this law is meant to protect.

Individuals will tune out

In past years, large data breaches regularly made the news. In Canada, consider the infidelity dating site Ashley Madison, which made front-page headlines for months in 2015 when it was a victim of a salacious attempt at extortion, or the hard drive with thousands of student loan records that went missing from a government office. Now, with hundreds of major breaches occurring each year, people are suffering from “data-breach fatigue.”

If companies err on the side of notification because they can’t navigate the breach-disclosure threshold, there is a real risk that this fatigue could be replicated on an individual level – people will stop paying attention when they are told their data could be at risk and how to protect themselves.

This is dangerous. Although many data breaches pose little risk, some can have serious consequences – for a person’s credit score, security or even personal identity. Most data-breach notices suggest some kind of self-help: swap your payment card; set up fraud alerts; change your passwords. A deluge of notices and suggested action will ultimately irritate, exhaust or bore some Canadians. People will stop reading notices, stop taking action. We cannot, through overreporting, set ourselves up for more risk by overwhelming consumers and regulators.

Clarity is needed

The Privacy Commissioner’s Office must follow the lead of its U.K. colleagues and provide more detailed, practical clarity to organizations on what types of breaches meet the disclosure threshold – and just as importantly, what types of breaches should not be publicized.

Story continues below advertisement

In doing so, they will be able to avoid the problem of oversharing that puts their processes – and our citizens – at risk.

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter