Aussies follow Canadian lead on data breach guide

"We've been pushing for notification requirements for years, because it's obvious to me and my colleagues that, by and large, corporations are not doing as much as they should be to secure the personal information in their possession," Pippa Lawson, executive director at CIPPIC, told ComputerWorld Canada earlier this year. "Our conclusion from years of research is that the market does not provide efficient incentives for effective security precautions, because in most cases, companies can hide the breaches and they are never publicly known about."

Lawson said that while the government's interest in drafting better data breach notification laws is positive, Ottawa needs to take it a step further and require mandatory public reporting as well.

"There's two ways that you can create incentives for companies to take strong security measures: one is to make them pay financially through penalties and fines, and two is to give them bad publicity that can be even more costly," Lawson said. "If there is a real risk of negative publicity for these companies, the CEOs will make sure that they put more resources into security."

David Senf, director of security and software research at Toronto-based IDC Canada Ltd., said Canada would benefit greatly from similar privacy legislation passed in California, which mandates organizations to reveal to customers that personal data has been compromised.

"Organizations in this country don't fear the repercussions of PIPEDA," Senf said earlier this year. "Stronger legislation will go a long way in convincing organizations to tighten up security for better privacy protection."

Cavoukian, however, disagreed on taking such a punitive approach. As a regulator, she said, her concern is to ensure when something happens that it's addressed immediately and as quickly as possible to benefit the affected individuals.

"You can almost take as a given that over time, virtually every company is going to make an oversight or a mistake and have some kind of data breach," Cavoukian said. "My experience in working with organizations is that as soon as they know there's a breach, they're really motivated to cure the harm and prevent it. If you create a database of who did what and how many times they did it, I just don't know how effective it would be."