Shostack + Friends Blog Archive

 

More on the CIPPIC Report

philippa-lawson.jpgA few days ago, Chris covered the release of a report from the Canadian Internet Policy and Public Interest Clinic, “Approaches to Security Breach Notification” (PDF). This is highly readable and important analysis. If you care about breaches, read it. I’d like to add some notes from my reading of it.

  • First, the report talks about the moral aspects of breach reporting in terms which resonate with me. For example:

    These
    investigation reports suggest that the Alberta Commissioner considers breach notification to be an important moral responsibility, if not a legal duty, under the Alberta private sector data protection legislation.

    and

    The Privacy Commissioner for the State of Victoria, [Australia] in his investigation of inappropriate disclosure of personal information by the Office of Police Integrity (a civilian oversight body for police conduct) stated that the Privacy Act contains a “presumption … that privacy breaches ought to be notified to those whom they potentially affect”.

  • The report points to a Perkins, Coie “Data Breach Notification Chart” (pdf). Mmmm, 34 pages of analysis which isn’t legal advice.
  • It points to the seven government actions, and eight class action, (or attempted class action) suits.
  • I do have one small nit. The advice given is to “Amend PIPEDA to include an explicit security breach notification requirement.” Which is a great recommendation, but (my understanding of PIPEDA is that) PIPEDA is a private sector law, and this leaves the Canadian Government in an unclear legal state. I suggest that both the Canadian Privacy Act and PIPEDA be ammended in the same ways.
  • Finally, it contains this stunningly clear summary:

    Breach notification laws clearly provide organizations with an incentive to improve
    security. Organizations will surely take greater care to prevent security breaches if they know that such breaches will carry significant costs in terms of reporting and negative publicity. Conversely, “the ability to cover up data security breaches simply encourages complacency and rewards incompetence.”

(Image: Philippa Lawson, one of the report’s authors. Photo from the University of Ottawa Gazette.)