Transparency is New Touchstone for Privacy Protection

In the past six months, media headlines across North America have clamoured about privacy breaches at companies such as ChoicePoint, the San Jose Medical Group, Boston College and LexisNexis, to name a few. To the uninitiated, the timing and frequency of these breaches may suggest a sudden rash of poor information security practices, increasing sophistication of cyber-criminals, or both. In fact, these types of breaches are not so much new events, as they are the subject of new legal requirements for companies to report them. In 2002, California enacted the Security Breach Information Act (SB 1386) to require any individual, business or state agency that owns or licences personal information, and conducts business in that state, to report any reasonable suspicion of unauthorized disclosure of personal information to the data subject. Although the law applies only to California residents' personal information, companies reporting breaches have often come under intense pressure from non-California residents and other state governments to fully disclose the entire scope of breaches, including breaches relating to non-state residents. Other states have begun to enact their own disclosure requirements, and, in April, the US Congress began discussions on a federal security breach disclosure law. However, SB 1386 and its brethren have their critics. Not surprisingly, businesses complain of the cost of disclosure. While others, even some privacy advocates, feel that the requirement to disclose any breach to all persons affected without regard to the potential risk the breach poses to a given individual, raises the spectre of the boy who cried wolf and therefore could de-sensitize the public to more serious privacy threats. Despite these fears, there can be little doubt that mandatory disclosure requirements encourage companies to improve information security practices and raise general consumer awareness about information security. Transparency has become the new touchstone of privacy protection and now is likely here to stay. Although it remains to be seen whether and how Canadian governments will co-opt these principles, an excellent opportunity will arise this autumn, when the federal government is scheduled to begin its five-year review of the private-sector privacy law. For the text of California State Bill SB 1386, visit: http://securitybreach.notlong.com Summary by: Jason Young