Molly Reynolds is privacy counsel at Torys LLP
The year isn’t over yet – but the trend is clear. With new security flaws being discovered in software every day – on top of plain old human negligence and nosiness – our data are at more risk than ever.
It’s in this context that the federal government enacted privacy-law amendments requiring companies to disclose data breaches that pose a risk to an individual.
These regulations have just come into force. And their intent is good. We deserve to know whether our privacy is being put at risk. But as we’ve seen in other jurisdictions with similar disclosure requirements, “oversharing” comes with risks of its own – to the public and the privacy regulator itself.
Companies will be overly cautious
The law establishes a threshold: data breaches must pose a “real risk of significant harm” to those affected to warrant disclosure.
But the law is light on details and new guidance from the federal Privacy Commissioner does little to help companies identify risks and weigh potential harms against this threshold.
Although the internet is midway through its fourth decade, the “new reality” – in which hackers and data brokers freely trade our data online – is relatively new. Polls show Canadians are concerned about the safety of the information they give to businesses. In this context, companies are not likely to take risks. They will err on the side of caution, disclosing even minor breaches that may not meet the risk-based standard.
This type of oversharing may please privacy advocates, but it comes with adverse consequences.
Regulators will be overwhelmed
In other jurisdictions where data-breach notification requirements have been implemented, regulators have seen a surge in disclosures – so much so that their own processes are overwhelmed.
Just look across the Atlantic. After the European Union’s General Data Protection Regulation (GDPR) kicked in this spring, the United Kingdom saw a surge in notifications. As many as 500 calls a week were made to their breach-reporting phone line alone. According to the U.K. Information Commissioner’s Office, as many as one-third of these breaches were “not reportable” under the GDPR’s notification threshold.
In the absence of clarity from the regulator, organizations decided that it was better to be safe than sorry. That is why, on its website, the Information Commissioner’s Office now indicates – in bold – that organizations do not need to report every breach, and provides substantial resources guiding organizations in their application of the threshold.
Back in Canada, the Privacy Commissioner has said his office did not receive any additional funding to support the new breach-disclosure rules and impending wave of reports. A handful of employees will need to wade through reports of all kinds, trying to identify those serious enough to merit attention. But oversharing poses a threat to more than the Privacy Commissioner’s overworked employees. It poses a threat to individuals whose data have been compromised – the very people this law is meant to protect.
Individuals will tune out
In past years, large data breaches regularly made the news. In Canada, consider the infidelity dating site Ashley Madison, which made front-page headlines for months in 2015 when it was a victim of a salacious attempt at extortion, or the hard drive with thousands of student loan records that went missing from a government office. Now, with hundreds of major breaches occurring each year, people are suffering from “data-breach fatigue.”
If companies err on the side of notification because they can’t navigate the breach-disclosure threshold, there is a real risk that this fatigue could be replicated on an individual level – people will stop paying attention when they are told their data could be at risk and how to protect themselves.
This is dangerous. Although many data breaches pose little risk, some can have serious consequences – for a person’s credit score, security or even personal identity. Most data-breach notices suggest some kind of self-help: swap your payment card; set up fraud alerts; change your passwords. A deluge of notices and suggested action will ultimately irritate, exhaust or bore some Canadians. People will stop reading notices, stop taking action. We cannot, through overreporting, set ourselves up for more risk by overwhelming consumers and regulators.
Clarity is needed
The Privacy Commissioner’s Office must follow the lead of its U.K. colleagues and provide more detailed, practical clarity to organizations on what types of breaches meet the disclosure threshold – and just as importantly, what types of breaches should not be publicized.
In doing so, they will be able to avoid the problem of oversharing that puts their processes – and our citizens – at risk.