The year isn’t over yet—but the trend is clear. With new security flaws being discovered in software every day—on top of plain old human negligence and nosiness—our data is at more risk than ever.
It’s in this context that the federal government enacted privacy-law amendments requiring companies to disclose data breaches that pose a risk to an individual.
These regulations have just come into force. And their intent is good. We deserve to know if our privacy is being put at risk. But as we’ve seen in other jurisdictions with similar disclosure requirements, “oversharing” comes with risks of its own—to the public and the privacy regulator itself.
Companies will be Overly Cautious
The law establishes a threshold: data breaches must pose a “real risk of significant harm” to those impacted to warrant disclosure.
But the law is light on details and new guidance from the federal Privacy Commissioner does little to help companies identify risks and weigh potential harms against this threshold.
Although the internet is midway through its fourth decade, the “new reality”—where hackers and data brokers freely trade our data online—is relatively new. Polls show Canadians are concerned about the safety of the information they give to businesses. In this context, companies are not likely to take risks. They will err on the side of caution, disclosing even minor breaches that may not meet the risk-based standard.
This type of oversharing may please privacy advocates, but it comes with adverse consequences.
Regulators will be Overwhelmed
In other jurisdictions where data breach notification requirements have been implemented, regulators have seen a surge in disclosures – so much so that their own processes are overwhelmed.
Just look across the Atlantic. After the European Union’s General Data Protection Regulation (GDPR) kicked in this Spring, the United Kingdom saw a surge in notifications. As many as 500 calls per week were made to their breach reporting phone line alone. According to the UK Information Commissioner’s Office as many as one-third of these breaches were ‘not reportable’ under the GDPR’s notification threshold.
In the absence of clarity from the regulator, organizations decided that it was better to be safe than sorry. That is why, on its website, the Information Commissioner’s Office now indicates—in bold—that organizations do not need to report every breach, and provides substantial resources guiding organizations in their application of the threshold.
Back in Canada, the Privacy Commissioner has said his office did not receive any additional funding to support the new breach disclosure rules and impending wave of reports. A handful of employees will need to wade through reports of all kinds, trying to identify those serious enough to merit attention. But oversharing poses a threat to more than the Privacy Commissioner’s overworked employees. It poses a threat to individuals whose data has been compromised—the very people this law is meant to protect.
Individuals Will Tune Out
In past years, large data breaches regularly made the news. Consider Canada’s own Ashley Madison which made front-page headlines for months in 2015 with a salacious attempt at extortion, or the hard drive with thousands of student loan records that went missing from a government office. Now, with hundreds of major breaches occurring each year, people are suffering from “data-breach fatigue.”
If companies err on the side of notification because they can’t navigate the breach disclosure threshold, there is a real risk that this fatigue could be replicated on an individual level—people will stop paying attention when they are told their data could be at risk and how to protect themselves.
This is dangerous. Although many data breaches pose little risk, some can have serious consequences—for a person’s credit score, security, or even personal identity. Most data breach notices suggest some kind of self-help: swap your payment card; set up fraud alerts; change your passwords. A deluge of notices and suggested action will ultimately irritate, exhaust or bore some Canadians. People will stop reading notices, stop taking action. We cannot, through overreporting, set ourselves up for more risk by overwhelming consumers and regulators.
Clarity is Needed
The Privacy Commissioner’s Office must follow the lead of its UK colleagues and provide more detailed, practical clarity to organizations on what types of breaches meet the disclosure threshold—and just as importantly, what types of breaches should not be publicized.
In doing so, they will be able to avoid the problem of oversharing that puts their processes—and our citizens—at risk.
This article was originally published in the Globe and Mail.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2021 by Torys LLP.
All rights reserved.