Loading articles...

Privacy commissioner calls for power to impose 'substantial' fines for breaches

Canada’s privacy commissioner Jennifer Stoddart wants the power to impose “attention-getting fines” when major corporations fail to protect personal information.

Her statement comes in the wake of massive security breaches first disclosed by Sony last week, which may have affected more than 100 million user accounts worldwide.

The company warned that data including names, birth dates, email addresses and log-in information was compromised. Sony also said encrypted credit card data from 10 million accounts may have been accessed, although there is still no evidence of credit card fraud.

In a speech delivered in Stratford, Ont., on Wednesday, Stoddart said she was “very disappointed” that Sony did not proactively notify her of the breach. But Stoddart said the company has been co-operative since being contacted by her office.

“Still, I remain deeply troubled by the large number of major breaches we are seeing. Too many companies are collecting more personal information than they are able to effectively protect,” she said.

“I have come to the conclusion that the only way to get some corporations to pay adequate attention to their privacy obligations is by introducing the potential for large fines that would serve as an incentive for compliance.”

In a followup interview, Stoddart would not yet define how large an “attention-getting fine” would be, other than to say “it has to be more than token amount.”

“I think it’s a fine that’s significantly related to the size of the business and the size of the profits,” she said.

“I’m concerned that we don’t have in Canada an incentive for corporations to spend money on security … I don’t think we have a sufficiently large downside to push them along that path.”

Stoddart said it’s the first time she’s asking for the power to issue fines. Previously proposed legislation would’ve required that companies report data breaches to her office and affected individuals.

“A message needs to be sent out to businesses generally, even small and medium businesses, that this is something you have to look after. People are entrusting their personal information to you, identify theft is rampant, fraud is rampant, and all businesses have to take that into account.”

A $1 billion class action lawsuit related to the Sony data breach was announced in Ontario on Tuesday on behalf of as many as one million affected Canadians.