Once again, privacy, or the breach of it, is in the news. Millions of customers of retail chain TJX in Canada and the United States have had their financial information and credit card numbers exposed to hackers. In Canada, Talvest Mutual Funds, a division of CIBC, one of that country’s largest banks, said a backup computer file had disappeared with the personal financial information of half a million customers. It happened late last month, but was only revealed to the public this week.
CIBC has had similar problems before, with records of customers repeatedly being faxed to a dump site in West Virginia and the bank refusing to take action to stop it until it became a public relations disaster.
There are many unanswered questions about these recent events, some of which are set out in a statement by The Centre for Corporate & Public Governance. Normally, such occurrences would be sufficient cause for outrage on the part of customers and concerned citizens. But the real story here, as The Centre has stated, is the existence of a culture of complacency, if not outright negligence, in the safeguarding and protection of personal information. Time and again, companies confess breaches in the safeguarding of personal information. Time and again, governments fail to act.
As The Centre notes in its statement, Canada’s privacy watchdog has disappointed many Canadians in the handling of their complaints.
…many individuals are of the view that privacy authorities have displayed an overly casual, and in some circumstances, inept, approach to the enforcement of existing privacy laws, which has compromised their confidence in the current privacy protection regime. The Centre regularly receives complaints from individuals about inadequate and unacceptable treatment by government privacy watchdogs, including the office of the federal privacy commissioner. In a number of cases, complainants were either ignored entirely or received only a perfunctory response after several attempts were made to have issues addressed. In one situation, the federal privacy office took no action and refused even to commence an investigation when senior officials of a Canadian chartered bank could not account for the whereabouts of a letter containing the customer’s personal information that was faxed to them. In other cases, complainants were of the view that the privacy watchdog had a disturbing predisposition to accept the word of the institution it was supposed to be investigating without inquiring into the facts, including at least one situation where a customer had inadvertently been sent electronic files containing the personal information of dozens of employees of a major financial institution.
There is a need, in an increasingly networked age, for a more robust approach on the part of the corporate sector and governments to the protection of individual privacy. The need is urgent. When a major financial institution can become a second offender in failing to protect sensitive information entrusted to it –and some might suggest there have been more episodes at this bank– there is clearly a problem in enforcement.
This most recent breach came to the attention of Canada’s privacy commissioner before Christmas. It is just coming to public attention now. What has she done? Little detail is being provided as to whether the information was protected by encryption and passwords, much less the circumstances surrounding the disappearance of the data. Canada’s privacy commissioner looks like a hapless spectator in yet another CIBC privacy fiasco when she should have been a pit bull on the scene demanding answers and ensuring quick disclosure of the loss.
As The Centre’s statement observes, there is a need for tougher laws that will protect Canadians and punish offenders. It has called on the federal government to initiate that process and on committees of the House of Commons and Senate to hold hearings that will bring forward witnesses from the corporate sector and those who have had their privacy violated and identity stolen. But Canada also needs an aggressive watchdog who will change the culture of complacency over the safeguarding of personal information to one of fear for the consequences if a company fails to protect personal information. It begins by treating individuals who come forward with instances of breaches in their personal information with respect and the seriousness they deserve, not by ignoring them or sloughing them off. And it means having a privacy commissioner who will be a watchdog that bites when repeat offenders are discovered, not a lapdog that squeaks out a press release.
Canada’s top privacy guardian allowed too much time to pass between when these breaches occurred and when they were made public, and too many important questions to go unanswered. In the process, she has lost her leadership role and let down Canadians who depend upon her, which is why the privacy commissioner’s handling of her duties over this most recent fiasco is the Outrage of the Week.