Wednesday, June 28, 2006

Encouraging disclosure

Ontario's privacy commissioner has called for a first step in ensuring that citizens are informed when their personal information may be at risk:
To fight identity theft, Ontario should pass a law forcing companies and organizations to inform customers if their personal information has been compromised, says the provincial privacy commissioner.

"Right now, if there's a breach in Ontario, nobody has to be notified unless it's health information," Ann Cavoukian said yesterday after releasing her latest annual report.

California has such a law, which requires immediate notification of privacy breaches so consumers can be on guard for signs their identities have been stolen, such as credit cards issued in their names to strangers...

Advocates say so-called "breach notification" laws make it impossible for companies, embarrassed by leaks of confidential information, to deal with them quietly, leaving customers at the mercy of unscrupulous identity thieves.
If anything, the "embarrassment" idea seems to me to overstate the case. But it should be clear that individuals need the opportunity to themselves take precautions when their personal data has been compromised - and when organizations are able to cover up breaches, that option isn't available.

Moreover, it may well be that the proposed law could turn out to be a plus for the affected organizations as well. While there might be some cost (both in reputation and in resources) to informing customers of any breaches, that downside would surely be outweighed by the danger that an attempted cover-up would leave an organization liable for negligent management of its data, with the potential for greater damages where individuals don't receive the opportunity to protect against the effects. But it may take a statute to highlight the dangers of trying to suppress any breaches.

In sum, the proposed law would only spur organizations toward a sound policy. Hopefully the Ontario government will shift from its current lack of responsiveness, and other provinces will also take a small step to ensure that data breaches have as few harmful consequences as possible.

No comments:

Post a Comment