Data Breaches: Worth Noticing?

Author

John Lawford, Janet Lo

Organization

Public Interest Advocacy Centre (PIAC)

Published

2011

Summary

This report examines data breach notification in Canada in the private sector in general and in particular whether the proposed federal data breach notification law (Bill C-12) is adequate to protect Canadian consumers.

"Data breaches" are a loss, unauthorized access to or unauthorized disclosure of individuals' personal information by an organization holding that data. At present, only Alberta law requires reporting of private sector data breaches. Federally, such data breaches presently are covered by voluntary guidelines from the Privacy Commissioner of Canada.

The report concludes that the proposed data breach notification requirements in Bill C-12 grant excessive discretion to organizations that have had a data breach, allowing them unilaterally to characterize the breach as non-harmful to consumers. In so doing, organizations gain the benefit of a largely unreviewable decision in the face of a manifest and undeniable conflict of interest. The result is likely to be a vast underreporting of serious data breaches, which puts consumer welfare at excessive risk.

This document is available in the following language(s):

Third-Party Information Liability Disclaimer

Some of the information on this Web page has been provided by external sources. The Government of Canada is not responsible for the accuracy, reliability or currency of the information supplied by external sources. Users wishing to rely upon this information should consult directly with the source of the information. Content provided by external sources is not subject to official languages, privacy and accessibility requirements.

English and French

• English (HTML document)
• English (PDF document)
• French (PDF document)

OCA Funded Research
This research received funding support through the Office of Consumer Affairs' Contributions Program.

Contact information

Source: Consumer Policy Research Database