Data Security Breach | previous

In a 2008 interview, Stoddart stated: "I would think with the alarm bells going off about huge data security breaches that most companies would be taking more active steps...This type of gambling with personal information leaves consumers in a precarious spot...[O]f course, not all of the data compromised in these kinds of breaches winds up in the hands of criminals. However, it is clear crooks have recognized that personal data are a gold mine. Identity theft is rampant - and lucrative."

Manager responsibilities

Information breaches are extremely difficult to track in Canada because there is no one designated body that is charged with assessing and addressing the issue. The current focus is on mitigating the negative consequences of a breach, much like closing the barn door after the horse has bolted. Managers must start handling personal information as they would actual cash. Once personal information has been collected, managers have a duty to protect it. Passing legislation to outlaw fraudulent activities is simply not enough - it requires education, awareness and enforcement capabilities with penalties that are a real deterrent.

Some consumer advocacy groups argue that PIPEDA should permit civil actions in the event of personal information breaches. This is underscored by the belief that organizations that collect personal information are really custodians, not owners, of the information. Managers have to understand their obligations to maintain the security of this data.

It appears evident that the issues of breach containment, risk evaluation, notification and prevention should be the basis of a widespread educational initiative throughout the organizational structure of all agencies that collect and use personal information. Part 1

1 | 2 | 3 | 4