Canada Industry Minister Tony Clement says he’s open to the idea of fines for data breaches involving customer information. It appears to be a response to last week’s call for “attention-getting fines” by Canada’s Privacy Commissioner. Canada does have data protection laws (PIPEDA, Personal Information Protection and Electronic Documents Act), that require, among other things, the use of data security tools like data encryption software from AlertBoot.
However, under the current laws, the Privacy Commissioner currently doesn’t have the ability to impose fines. Furthermore, companies involved in a breach are not required to report the fact to the commissioner’s office.
PIPEDA Needs Updating
The requirement to use encryption software is a pretty advanced once, if I may so. A handful of countries have made the use of encryption mandatory. In the US, Massachusetts is the only state that has done so, as far as I know.
Most governments and regulating organizations, however, fall short of requiring it, seemingly content in extending safe harbor from punitive data breach laws if encryption is used. The results on offering the “data encryption carrot” and “breach notification letter stick” have been mixed so far: many companies have begun using data encryption in the workplace to secure data, and even more are looking into it or seriously considering it, but the stories of data breaches haven’t stopped growing in the years since such laws have been codified.
Canada is one of the few nations that does require encryption. However, there aren’t any penalties for not encrypting data under that law.
I Thought PIPEDA has Fines of $100,000?
I have found that there is a maximum fine of $100,000 per violations of PIPEDA but it’ not aimed at data breaches. Rather, it’s for certain “indictable offences” (foglerrubinoff.com):
Destroy personal information that an individual has requested;
Retaliate against an employee who has complained to the Commissioner or who refuses to participate in a violation of PIPEDA; and
Obstruct or otherwise refuse to co-operate with the Commissioner in the investigation and resolution of a complaint
As long as a company doesn’t do any of the above, it can lose laptops full of customer info and, well, not do anything about it. Companies don’ t even have to notify individuals affected by the breach if they don’t think an incident poses significant harm.
Related Articles and Sites: