Richard Brennan, Toronto Star
Jun 03, 2008 02:44 PM
OTTAWA – So many businesses are playing fast and loose with Canadians’ personal information that data breaches have become virtually “epidemic,” federal Privacy Commissioner Jennifer Stoddart says.
Stoddart said in her annual report released today that over the past few years, hundred of thousands of Canadians have been affected by data breaches with financial institutions reporting the largest number of breaches to the privacy commission.
“Data breaches have been reported or noted for years but they are kind of growing into an … epidemic proportion not only in Canada but elsewhere,” the commissioner told the Toronto Star today.
Even so, businesses continue to download customers’ personal information, such as their date of birth and Social Insurance Number, onto laptops that are often stolen or lost.
“Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops, ” Stoddart said in her report.
According to the annual report, almost nine in 10 people whose data was compromised by a self-reported breach in 2007 were put at risk because their personal information was held in an electronic format that was either not secure or lacked adequate protection such as firewalls and encryption.
“Too often, large corporations underestimate the value of personal information and the risk that thieves will target it. As a result, we see deficient safeguards, lackadaisical privacy and security policies and procedures,” she stated.
The Office of the Privacy Commissioner (OPC) received 21 voluntary breach reports in the first five months of 2008 compared to 34 voluntary reports for all of last year, which was up from 20 in 2006.
Privacy officials are still reeling from the size and breadth of the security breach disclosed by the Framingham, Mass.-based retailer TJX Companies in December 2006, which compromised 94 million credit cards, including many held by Canadians.
“TJX was one of many companies gambling with Canadians’ personal information,” said Stoddart, who is pushing the federal government to call for mandatory reporting of security breaches that compromise an individual’s person data.
Within days of the TJX breach, the Canadian Imperial Bank of Commerce announced that computer hard-drive loaded with the private information of nearly half a million customers went missing in December somewhere between Montreal and Toronto.
The bank confided that the information included names, addresses, signatures, birthdays, bank account numbers, beneficiary information and social insurance numbers of about 470,000 current and former clients of Talvest Mutual Funds, which is part of CIBC.
“Businesses recognize the value of personal information to themselves for targeted marketing campaigns … unfortunately this perception doesn’t always translate into security measures up to the job of protecting the information from criminals,” Stoddart said in her 75-page report.