Data breach fines sought by privacy watchdog

Canada's privacy commissioner wants the power to impose hefty fines on companies that fail to protect personal information from preventable data breaches.

Jennifer Stoddart 'disappointed' by lack of notification from Sony

Canada's privacy commissioner wants the power to impose hefty fines on companies that fail to adequately protect Canadians' personal information from preventable data breaches.

"I am deeply troubled by the large number of major breaches we are seeing," Jennifer Stoddart said Wednesday at the Canada 3.0 digital media conference in Stratford, Ont.

She has concluded that imposing "significant, attention-getting fines" is "the only way" to get some corporations to "pay adequate attention to their privacy obligations," she said.

The privacy commissioner can investigate complaints that a company has violated Canadian privacy laws, but does not have enforcement powers. Instead, she must ask the Federal Court to take action.

Stoddart said her counterparts in other countries such as the United Kingdom, France and Spain have already imposed fines of up to $157,000 after recent data breaches.

Writing to Industry Canada and recommending similar powers for her office is one of her top priorities after Monday's election, she added.

Fines are 'the only way' to get some corporations to pay adequate attention to their privacy obligations, Privacy Commissioner Jennifer Stoddart said Wednesday. ((Sean Kilpatrick/Canadian Press))
Stoddart's statement comes a day after it was announced that a proposed class-action lawsuit was filed against Sony Corp. claiming damages of more than $1 billion for a data breach affecting more than 100 million customers of the Sony PlayStation Network, Qriocity entertainment service and Sony Online Entertainment.

The information stolen during a cyberattack on the company's network may include names, birthdates, email addresses, passwords and some credit card and banking information.

Stoddart said she was "very disappointed that Sony did not proactively notify my office of the breach."

However, she said the company has been co-operative since being contacted by her office, and she is pleased that the company is limiting damage by shutting down its systems, launching a forensic audit and notifying users.

Stoddart noted that before the election, Parliament had been considering legislation that would require companies to notify consumers of data breaches.

Doesn't have 'a lot of teeth'

Avner Levin, director of the Privacy and Cyber Crime Institute at Ryerson University, said such legislation exists in the U.S. and is the reason why Canadian consumers sometimes get notified of data breaches involving their personal information.

Right now, he said, Canada's privacy commissioner doesn't "have a lot of teeth" to deal with breaches of Canadian privacy legislation. If enforcement is needed, the commissioner's investigation is not enough. The case starts over and the breach needs to be re-proven before the Federal Court, Levin said.

"I would say if you let privacy commissioner have some kind of enforcement powers — the powers to order companies to do things — that would take it a step forward for the consumer."

He added that one of the reasons why companies and consumers aren't more vigilant about data breaches is the consequences for them tend to be minimal. Typically, after a breach, consumers continue to do business online; companies' stock prices don't fall dramatically and if they do, they recover, he said.

"It doesn't get quatified into some kind of financial harm that you might sort of imagine."