More on Bill C-27 and Canada's ID theft law
November 27, 2007
A Canadian lawyer said that a recently proposed amendment to the Criminal Code that would make reckless handling of personal information a federal crime can be troubling given the very broad definition of the word. If Canada passes its proposed Bill C-27, it will be an offense to make available or sell personal information such as names, addresses, bank account information and especially social insurance numbers knowing that such information could be used to commit fraud.
The same law would apply if the person or company selling the information is reckless as to whether the data will be used for fraud by a third party.
Bill C-27, an Act to Amend the Criminal Code (identity theft and related misconduct) was tabled in the House of Commons last week and passed first reading. To be sure, the problem with measuring recklessness is a valid concern for organizations whose business relies on collecting customer personal information given the lack of industry standards, said Howard Simkevitz, an attorney with the law firm Lang Michener LLP in Toronto.
Some industry observers are starting to say prepare for the receipt of the ‘nightmare access letter’ from an irate consumer who knows a little too much about privacy and information technology.
David Canton, a lawyer with the law firm Harrison Pensa said "Bill C-27's recklessness aspect is probably intended to capture people who do more than just act negligently, but turn a blind eye to securing specific and critical personal information."
Canton added that "overall, PIPEDA (Personal Information Protection and Electronic Documents Act) provides a good starting point by advising organizations to determine whether the information they are collecting is personal, and if it is, to determine if they have received consent to collect and use it for certain purposes."
Some international standards, from bodies such as the ISO (International Standards Organization) handle security compliance, but there's no equivalent for privacy.
"When we're talking about identity theft and it's the theft of personal information, that's a distinct privacy-oriented term," said Canton.
He added the term reckless includes the absence of precautions around securing customer personal data, so organizations should implement policies and procedures based around this. Such precautions are mainly based on common sense and good corporate values around how to handle another person's sensitive data.
"Overall, the risk of running afoul is at least minimalized, but there are tons of issues here, and the fact that now there are criminal sanctions that could be applied, is an issue," said Canton.
The privacy commissioner, he added, also makes available helpful guidelines around policies.
For example, when transferring that type of data to a third party, the organization should seek assurances that the recipient of the information is going to do what it has said it will do with the data, he said. Often, having contractual provisions to limit use of the data by a third party is useful, he added.
If companies seek such assurances, he said, "I would suspect that they haven't crossed the reckless threshold."
Canton added that "companies and even non-profit organizations are vicariously liable for actions of their employees. Specifically, if the act committed falls within the ambit of that person's job, then the organization can be held liable, but it's not always an easy line to draw."
Given that Bill C-27 complements PIPEDA and other existing privacy legislation, companies who have already dealt with privacy probably have dealt with the issues that this new bill presents.
However, a rogue employee stealing customer personal information for the purposes of fraud could, depending on the circumstances, mean the company has been reckless. However, Canton added, if the company can demonstrate it took necessary actions to mitigate such risk, then it may not be held liable.
In particular, he said, it's great that it includes compensating victims of identity fraud, but it doesn’t address the issue of quantifying damages like the loss of a driver's license versus hassles at the border because of issues with stolen identity.
"It certainly does add teeth to PIPEDA. Is this sufficient? I would be more reluctant to say that it is," said Canton. "Bill C-27's proposals do not add anything to existing legislation, but raises the bar and is maybe one way of putting criminal teeth in the security aspect of PIPEDA, although it's probably not its prime intention."
Canton said it's hard to argue against some of the contents of the bill and it's usually difficult to tell if such things will help deter identity theft, but that it's certainly a step in the right direction.
Canton added that "Bill C-27 sensitizes corporations to the importance of protecting personal information. It's a bit like Sarbanes-Oxley (SOX) but just different in its mandate."
Source: IT World Canada
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing