Approaches to Security Breach Notification by CIPPIC

Identity theft and related fraud have become serious risks for individuals in the information age. Identity thieves gather sensitive personal information from a number of sources, then use it to engage in fraudulent activities in the name of the victim, usually for financial gain.  Sources of information include data brokers and other organizations that collect, hold and disclose such information in the course of their normal activities.   As the number and size of personal information databanks grows, security breaches exposing customer information to unauthorized access and use are becoming commonplace 
Unless an organization notifies individuals whose information has been placed at risk, affected individuals may end up as the unwitting victims of potentially devastating identity theft.  Yet organizations, especially those in competitive markets, have little incentive to disclose their security failures voluntarily, given the costs and the damage this can do to their reputation.  
This White Paper argues for a Canadian law requiring that organizations notify individuals when their personal information has been compromised as a result of a breach of the organization's security.  In particular, it calls for an amendment to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) to provide for mandatory notification of security breaches when certain types of personal information are exposed to unauthorized access as a result of a security breach.
Following a review of gaps in the Canadian legal framework, this Paper analyzes security breach legislation in the U.S., where over half the states have enacted a mandatory security breach disclosure requirement and where several federal bills are currently pending.  Various arguments for and against mandatory notification are analyzed, and specific recommendations for amending PIPEDA are proposed.

Approaches to Security Breach Notification” is a White Paper released by the Canadian Internet Policy and Public Interest Clinic (CIPPIC).  It's a great read and will help a lot when working with my Canadian customers.


Author: Xavier Ashe

Entrepreneur, Infosec Executive, CISSP, CISM, Ironman triathlete, traveler, UU, paleo, father of 8, goyishe, gamer, & geek.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s