Companies that lose personal customer data should be required to directly notify affected people – with limited exceptions – about the nature and date of the lapse along with steps taken to reduce the harm, says the federal privacy watchdog.
The Trudeau government plans to introduce breach-notification regulations in coming months to improve transparency and help consumers.
Several large businesses have been stung by hackers in recent years, causing embarrassment for proprietors and potential headaches for customers whose personal and financial details are suddenly circulating in cyberspace.
Legislation passed last year laid the groundwork for mandatory reporting of private-sector breaches that pose a "real risk of significant harm" to individuals.
The government recently asked the public and interested parties for comment on shaping the regulations and determining what companies and other private organizations will have to do in the event of a lapse.
The office of federal privacy commissioner Daniel Therrien says companies should directly notify those affected by a breach through means such as telephone calls, emails or mailed letters.
The notice should tell people about the circumstances, the date of the breach (or at least an estimate), a description of the personal information, steps taken to control the harm, measures those affected can take and the contact information of someone at the company who can answer questions.
Setting out the requirements in regulation would "provide important clarity and certainty about the type of information that organizations should communicate to individuals," the commissioner's office says in its submission to the government.
It also urges the government to give thought to cases in which affected people live outside Canada.
In its submission, the Canadian Bar Association also recognizes the importance of providing meaningful notice to individuals of data breaches. "The regulations should avoid being overly prescriptive, however, in the form and manner of notifications. Organizations should have flexibility to determine whether direct or indirect notification is most suitable."
The privacy commissioner says organizations should be allowed to notify individuals indirectly only when:
– Direct notification is likely to cause undue further harm, for instance by informing family members of the person's purchase of a confidential product or service; – Giving direct notification to every affected person on an individual basis would involve prohibitive costs; – Contact information for affected individuals is out of date, incomplete or inaccurate.
Under the new system, organizations covered by Canada's private-sector privacy law would also have to report significant lapses to the privacy commissioner, which would allow his office to determine whether appropriate actions were indeed being taken.
In addition, organizations that experienced a breach would have to keep a record of the data breach and make these records available to the privacy commissioner upon request.
One of the thornier issues to be decided in the regulatory scheme is whether data breaches in which the information is encrypted – encoded so as to make it indecipherable without a digital key – should be considered "low risk" events.
The privacy commissioner says encryption may indeed play a role in reducing or even eliminating risk of harm.
However, it cautions that as algorithms evolve, encryption standards once deemed strong "may be eventually be rendered decipherable." Alternatively, an organization's key management system might be compromised.
"In either case, personal information could then be easily decrypted."