Crisis for privacy and data protection in Canada

THE data breach at LifeLabs announced on Tuesday means that, in a period of just one year, every Canadian has likely been the victim of a data breach or knows someone who has, said the BC Freedom of Information and Privacy Association on Wednesday.

According to figures released by the Office of the Privacy Commissioner of Canada, 28 million Canadians have been the subject of a data breach since November 1, 2018. With an additional 15 million Canadians impacted by the LifeLabs breach, that means there were more than 43 million incidents between November 2018 and November 2019.

This situation represents a crisis for privacy and data protection in Canada, said the FIPA.

“Canadian privacy laws, both federal and provincial, are simply inadequate,” said Joyce Yan, FIPA’s Interim Executive Director. “They do not and will not protect Canadians from the potential harms that come from our increasingly digital world. Urgent law reform is needed. Every privacy commissioner in Canada needs to have investigatory, order-making, and fining power. Data breaches must be reported to them immediately.”

While breach notification became mandatory at the federal scale last year, it is still not a requirement provincially. As well, it is not required that companies notify individuals when their data has been breached. Public bodies are not required to report breaches at all.

“Private companies must face repercussions for negligent data handling practices,” said Yan. “These should include financial penalties for the company, financial penalties for individuals at the company, possible charges of criminal negligence, and financial compensation for those impacted.”

During an interview, LifeLabs CEO Charles Brown stated that he did not know if the data that was breached was even encrypted.

“This is an unacceptable and irresponsible position for leadership to hold. The head of a company that is entrusted with processing data that relates to the intimate aspects of our lives–our health, wellness, and biology–must be informed about the security measures taken to protect that information,” said Yan.

The Information and Privacy Commissioners for Ontario and BC are investigating the breach and will release a report at that investigation’s conclusion.