Reporting data loss debatable

DAVID CANTON - For the London Free Press - September 10, 2005 Read this on Canoe

Would you want to know if your confidential personal information had been compromised?

This issue will be debated in the upcoming review of Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

PIPEDA and provincial privacy laws, where they exist, for the most part do not require businesses to notify individuals if their personal information may have been unintentionally released.

One exception is Ontario's Personal Health Information Protection Act, which requires custodians of health-related data to tell people if their data are "stolen, lost, or accessed by unauthorized persons."

That has not stopped the federal privacy commissioner from chastising businesses for not notifying customers when personal information has been misplaced.

Asked about the notification of individuals after a privacy breach, the commissioner said a notice requirement "would have to be carefully measured using a risk-based approach to determine the appropriateness of when and how customers should be so notified."

A recent study considered various economic factors to analyse the real cost of notification. It concluded that the benefit of notification to customers whose data have been compromised averages only $7.50 to $10 a person.

The reasons:

* Most cases of identity theft do not involve an online security breach.

* Only a very small percentage of individuals compromised by security breaches, perhaps two per cent, actually become victims of fraud.

* Most of these are victims of fraudulent charges on their existing credit accounts, for which they have limited liability, rather than victims of true identity theft.

* Even a well-designed notification program will only eliminate 10 per cent to 20 per cent of the expected costs.

The paper says any notification mandate should be focused carefully and "firms should be able to determine which customers are most at risk and tailor notice to those individuals . . . Encrypted data should be exempt from notice because it is less likely to be used for fraudulent purposes."

Some U.S. states already have notification laws. New York and California require businesses and government agencies to notify customers if sensitive data have been threatened by a security breach.

The consequences of identity theft can be severe. In addition to financial consequences, victims of identity theft have difficulties clearing their names. The average victim spends a year trying to restore his or her reputation.

When considering legislation to require notice of breaches we must think about the advantages and costs of such notices and in what circumstances they should be given.

Will consumers actually take any steps for prevention or monitoring if they are notified? Or will the relatively low individual risk involved lead consumers to treat notifications like the boy who cried wolf?

What should the threshold be for the requirement to give notice? In many instances, businesses will not be certain whether information has been compromised. The encryption exemption is not clear, either, as the term encompasses security with varying levels of effectiveness.

David CantonIn the press, privacy