While we have offered criticism over a lack of privacy reform, we decided to offer ideas on what should be in such legislation.
We’ve spent quite a bit of time and digital space criticizing the state of privacy in Canada. In fact, as recently as yesterday, we pointed out, yet again, why the state of privacy laws are a joke. A core reason for our criticism is the fact that privacy commissioners are reduced down to writing strongly worded letters whenever a privacy incident occurs. That is with the complete lack of repercussions whenever a company decides that the strongly worded letter isn’t worth their time.
Of course, some might point out that it’s much easier to criticize others than it is to actually offer ideas on how to do something better. So, we thought we’d offer 5 ideas on how Canada can reform privacy laws to make them stronger and make Canada a better country for it.
1. Put in Proper Resources to Enforce Privacy Laws
If we are going to be properly enforcing modern age privacy laws, you’re going to have to back this up with an ability to properly enforce such laws. This is very easily a lesson any country can take from the rollout of Europe’s GDPR laws (General Data Protection Regulation). When the GDPR came into force back in 2018, a lot of the concerns revolved around whether the legislation put too much of a burden on sites and whether the fines go too far. What very few people had as top of mind is whether the resources are in place to properly enforce such a law.
Be February of 2020, enforcement found themselves dealing with over 160,000 incidences. No, that isn’t a typo. The concerns about the law being too harsh and overly burdensome had quickly evaporated. In its place, the concerns were regulators being completely overwhelmed with all the cases they have to deal with. European governments found themselves having to go on large recruitment campaigns to try and fill the front lines with enough people. The goal was to relieve the pressure from those already enforcing the law.
As they say, hind-sight is 20/20. The problem, even back in 2018, was that the issue of privacy law violations and improperly handling of people’s personal information had been going on for years. It wasn’t until 2018 that government finally got to properly cleaning things up. Since the issues had been out of hand for so long, the cleanup process wound up being monumental.
To put it another way, it’s like there was a massive beach party going on for weeks. Loud music is on every night. After multiple visits from law enforcement to tell people to turn the music down, reports came in that there is garbage in the area that needs cleaning up. So, finally, a crew of two showed up with a pickup truck and garbage bags expecting to clean up a few beer cups and other bits of garbage. When they showed up, they see piles of trash as high as a two story building. Sure, they can fill up their truck, but the reports wound up grossly underestimated the extent of the problem.
The same kind of idea happened in the initial months of GDPR enforcement. People knew there was a problem. No one could even predict just how huge of a problem it was until enforcement finally showed up to properly assess the situation.
That same problem is going to happen in Canada should the Canadian government implement proper privacy reform laws. That beach party is still going on and those trash piles are still piling up in Canada. Canada is tacking on an additional 4 years of problems piling up because the government couldn’t even be bothered to get their act together. No one will ever know the extent of how bad the state of privacy is in Canada until the situation gets properly assessed. Based on what happened in Europe, chances are, the situation in Canada is also really bad. Back in November, we got a hint of this thanks to a survey that was published, but that’s about it.
Ideally, the Canadian government should prepare for a tsunami of problems when proper privacy reform is implemented. It’s going to be ugly, but at the very least, the problem is going to finally get dealt with after years of neglect. What’s more, it’s going to take a while to get the situation under control. Simply leaving it to existing resources that exist with the privacy commissioner will prove to be a huge mistake because they will very easily become overwhelmed.
2. Implement Proportionate Fines that Will Sting the Big Players and Not Kill Off Small Businesses
Enforcement is going to be a major sticking point for privacy reform. As of now, Canada doesn’t really have fines for when a company loses people’s personal information. This is where modelling after Europe is actually a good idea. As of now, the maximum fine is 20 million euro’s or 4% of annual turnover, whichever is greater. Setting this as a maximum fine allows enforcement to take into consideration the size of the operation.
One good reason for this is the fact that the severity of a breach differs in many different ways. For instance, a breach that exposes 10,000 e-mail addresses is always going to be less severe than a breach that exposes 10,000 Social Security Numbers, credit card numbers, dates of birth, and many more tools needed for identity theft. Yes, both are bad, but lets face it, you’d rather have an e-mail address exposed than your credit card information in the end.
Another good reason for this style of fines is that smaller operations could otherwise be one breach away from bankruptcy just in fines alone. A business that has, maybe, 100 customers per month is going to easily get wiped out if a fine is a minimum of $10 million. At the same time, if a large tech giant gets hit with a breach, and it is shown that they were negligent in handling people’s personal information, a $10 million fine is going to take seconds to recover from. Hardly a deterrent. That’s why the inclusion of annual turnover. It’s to try and get larger players on board instead of treating fines as a minor cost of doing business.
That’s what makes the European model so attractive. That operation that has 100 customers per month could get slapped with a $100 fine if they were negligent in handling people’s personal information. Yes, that stings, but there is a good chance that fine isn’t going to force that business into bankruptcy either. It gets the message across, though. Meanwhile, a large tech company could easily get hit with hundreds of millions of dollars in fines. Same idea: it gets the message across to get their act together and fix those vulnerabilities.
It’s a flexible idea that works for all involved. That flexibility would certainly be welcome.
3. Implement Mandatory Self-Reporting and Customer Notification
Very few in the security community would disagree with the idea that secrecy surrounding a breach is not a major problem. Whenever a private business gets hit with a hack, there are loads of incentives to keep the issue quiet. The reasons for keeping a breach quiet from the business perspective are pretty strong ones. For one, you suffer reputation damage by admitting that your systems were hacked. For another, if that business is in the stock market, market share values often plummets following a breach. What’s more is that customers find out that their information was compromised and abused, that is grounds for litigation if it can be shown that the company was negligent in securing that personal information.
Of course, the problem associated with keeping quiet about a breach are also quite apparent. A customers personal information is probably floating around on the dark web, being bought and sold in various packages. All this is happening without the customers knowledge. So, when an identity thief gets their hands on that personal information and decides to rack up fraudulent charges, all the customer knows is that fraudulent charges are now showing up on their credit card statements (assuming the customer even checks those statements in the first place). What recourse that customer has is very little. They don’t know how thieves got their information and, what’s more, they probably have to fight with banks to have those charges reversed.
What’s more is that personal information being compromised very easily ruins lives. Whether it is getting constant phone calls from fraudsters or having to fight banks to get fraudulent charges reversed, the damage can be quite severe in some cases.
Of course, the problem is that business has all the cards in this. Given that they so often focus on what’s best for them rather than what’s best for the customer, chances are, they are going to be looking out for number one. Yes, there are those that will be honest and admit to the customers that they screwed up, but that doesn’t always happen.
That’s why mandatory reporting is so huge in privacy reform. It compels businesses to come forward and say, “Yes, we became a victim.”
This admission not only compels good faith behaviour, but also helps significantly in trying to sort out security in the event a breach occurs. This way, authorities can get a better handle on assessing the state of security in the private sector. What’s more is that this combats the problem of there being a shroud of secrecy surrounding a breach. Even better is that a law can also compel notifying the customer about when a breach occurs. That allows the customer to change passwords and work to secure their information online, allowing the customer to do what they can to prevent problems in the first place.
Everyone gets to be on the same level playing field as a result and everyone can be more secure as a result of this.
4. Implement A Standard for Securing Personal Information
Of course, breaches are a huge concern. However, prevention can provide a key role in reducing incidences in the first place. The best breach or hack is one that doesn’t occur at all.
One way privacy reform can play a role in prevention is by mandating standards for securing people’s personal information. Sometimes, personal information is just laying around, waiting to be slurped up by a malicious third party. You’d be shocked at how bad a data leak can be sometimes. Whether it is passwords being stored in plain text or backup databases being stored on a public cloud storage account, data leaks are a real problem that do need to be addressed.
So, privacy reform can set the stage for telling businesses what they need to do to secure their information. Things like encrypting their data (i.e. SSL security for online transactions), properly storing personal information in a secure manner, or keeping up to date with the latest patches on a Content Management System (CMS) to prevent security vulnerabilities from being exploited, there are many ways that government can say that, “if you are in the business of handling personal information, these are the rules you must follow. Failure to do so will result in fines, so please get your act together on this front.”
5. Offer Resources for Business to Keep Their Information Secure
While it’s one thing to establish a set of rules saying that business must follow to keep their information secure, education can also go a long way in helping businesses secure their information. While not necessarily something that needs to be legislated, offering resources can also better help new or small businesses be up to speed in securing personal information.
It’s easy to be an armchair security expert and talk about ways of securing your information when you are already in the know. It’s very different when security is far from your area of expertise. If you are more into, say, gardening, cosmetics, or quilting, properly securing your customers information may very easily be outside your field of expertise. So, rather than leaving those small businesses out in the cold, the government can very easily offer ideas on helping people secure their information. This can include a suggested whitelist of versions of software that the government considers secure – and updating them regularly.
Another example of what the government can do is say something along the lines of, “if you have a website, it is recommended that you get an SSL connection. There are many different kinds and your hosting provider might offer suggestions. If your hosting provider doesn’t offer suggestions, than the following list of free and paid options are what is recommended.”
This way, if you happen to not exactly be savvy in the ways of web security, and the resources are otherwise not at your fingertips, then you can still obtain resources to make your web service secure in a reasonable manner through a government web page.
Conclusions
Now, are there other ways to better secure people’s personal information via privacy reform? Sure. Can the above ideas be refined further? Probably. Still, there are ways of making privacy reform meaningful. The above can very easily go a long way in doing so. What’s more, these ideas can, at the very least, get Canada on the road to providing a balanced approach to reforming privacy that will have meaningful impact for everyone.
Drew Wilson on Twitter: @icecube85 and Facebook.
