Unless an organization notifies individuals whose information has been placed at risk, affected individuals may end up as the unwitting victims of potentially devastating identity theft. Yet organizations, especially those in competitive markets, have little incentive to disclose their security failures voluntarily, given the costs and the damage this can do to their reputation.
This White Paper argues for a Canadian law requiring that organizations notify individuals when their personal information has been compromised as a result of a breach of the organization's security. In particular, it calls for an amendment to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) to provide for mandatory notification of security breaches when certain types of personal information are exposed to unauthorized access as a result of a security breach.
Following a review of gaps in the Canadian legal framework, this Paper analyzes security breach legislation in the U.S., where over half the states have enacted a mandatory security breach disclosure requirement and where several federal bills are currently pending. Various arguments for and against mandatory notification are analyzed, and specific recommendations for amending PIPEDA are proposed.
“Approaches to Security Breach Notification” is a White Paper released by the Canadian Internet Policy and Public Interest Clinic (CIPPIC). It's a great read and will help a lot when working with my Canadian customers.