Data Breach Notifications Come to Canada, But More Required to Meet the Challenges Posed by Data Brokers

by Dustin Moores

In May 2017, hackers breached Equifax’s servers. Equifax, as you may recall from our podcast on the subject, is one of the world’s largest credit bureaus, and one of only two operating in Canada. Have you ever rented an apartment before? Applied for a mortgage or loan? Car financing? Chances are, at some point in that process, you were asked if the landlord or lender could perform a credit check on you. This is where Equifax comes in. Equifax, through a number of sources, pieces together financial information about you and computes a credit score. This score is a predictor of your ability to meet financial burdens such as rent or monthly loan payments. Landlords and lenders generally like to know this information before rolling the dice on you as a tenant or debtor.

For all intents and purposes, the Equifax breach was massive. Private records on nearly 150 million Americans and 19,000 Canadians were compromised. While past hacks had exceeded the Equifax breach in the sheer number of compromised accounts, what differentiated the Equifax breach was the nature of the information accessed: things like driver’s license numbers, social security numbers, past places of residence and transactions – sensitive information that could easily be exploited by identity thieves. As the New York Times noted, “If identity thieves wanted to hit one place to grab all the data needed to do the most damage, they would go straight to one of the three major credit reporting agencies.” Equifax is one of those three.

Breaches are nothing new: we have been accustomed to hearing about large-scale data hacks now for the better part of the last 20 years. And it is common sense to think that if a company who has assumed responsibility for safeguarding your personal information experiences a breach, they ought to let you know and give you the chance to protect yourself before thieves start racking up debt under your name. In Europe and most U.S. states, when personal information is compromised, as was that in Equifax’s possession, the organization that was breached is required by law to notify authorities and the individuals affected. So you would think that Canada, once thought of as being a privacy leader, would have laws on the books spelling out breach notification obligations, right? Wrong. In 2017, only one province had any such law in effect: Alberta.

Thankfully, as of November 1st, 2018, the data breach notification provisions in Canada’s private sector privacy law, PIPEDA, will finally come into force. The new provisions will require organizations who have suffered a data breach to notify both Canada’s Privacy Commissioner and the individuals affected where the breach “creates a real risk of significant harm to an individual.” Significant harm is defined in the provisions as “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” Organizations who fail to notify the Commissioner or affected individuals, or who don’t keep record of a breach, can face fines of up to $100,000 per offence. Unlike the EU’s data breach regulations, no strict timelines are attached to how long an organization has to issue a notification, only that notice be given “as soon as feasible after the organization determines that the breach has occurred.”

While the coming into force of PIPEDA’s breach notification rules are a welcome step in the right direction, there is still much room for improvement. As Michael Geist, Canada Research Chair in Internet and E-Commerce Law, points out, technological advances over the last twenty years have rendered PIPEDA no longer fit for purpose.

Data are collected, used, and disclosed in ways not foreseen at the time of PIPEDA’s enactment. For instance, the act does not take into account what is known as the “aggregation effect.” This refers to how brokers take many pieces of raw data and use algorithms to make inferences about the individuals to whom the data relates. Brokers may group individuals into “buckets” of similar consumers “to facilitate direct marketing.” Such buckets may covertly group us together with others based on factors tied to race, religion, and political affiliation – forming potentially discriminatory inferences from otherwise innocuous bits of data.

Smart phones and internet of things devices now offer up a steady stream of data that, pieced together, can reveal the most intimate details of our lives.

Perhaps recent events such as the Equifax breach and U.S. election interference will finally spur the political will required to bring our privacy laws where they need to be.  Our next post discusses some of the proposals for fixing PIPEDA currently on the table.