This article was originally published in Maclean's Magazine on January 19, 2004
Few Companies Prepared for New Privacy Law
CONSIDER THE CASE of the bride-to-be who was inadvertently shown her fiancé's private financial papers. He'd asked her to drop off some documents at his bank on her way to work. While doing that little favour, she was ushered into the office of an account manager who had the man's file open on his desk. It revealed a line of credit she hadn't been aware of, used by her love to help pay his university tuition fees. The manager informed her that her future husband had reached the end of that year's allotment and needed to apply for the next year. He gave her a blank application, plus a copy of the last one her fiancé had filed. Upon learning the full extent of her intended's debt burden, she called off the nuptials.
Then there's the tale of Kevin, whose cellphone provider sent past statements to his estranged wife. Using the records, she discovered he was dating someone else who also was married. Kevin feared that the impact of the PRIVACY breach on his divorce proceedings would be severe. So he threatened to sue the phone company for $100,000, claiming pain and suffering to himself and his girlfriend who, he said, were both harassed by their respective spouses.
Trashed credit ratings. Debit card fraud. Nasty divorces. If you think privacy legislation is boring, think again. Since 2001, federally regulated companies - banks and broadcasters, for instance - have had to comply with Canada's updated privacy legislation. Since January 1, that obligation has been extended to every organization involved in commercial activities unless it's already covered by a provincial privacy code.
Yet few companies seem to be aware of that obligation, and that's a huge deal. Ever since computers became ubiquitous and corporations began using them to store customer data; ever since Internet cookies and software surveillance systems began tracking computer users' every move; and ever since the advent of call display, organizations have collected reams of personal information. Where you live, where you shop, what you buy, how much you spend, who you call, what hotels you stay in, what you eat and drink - not to mention financial and health records - are all digitized and available. All it takes is a call-centre operator who's not paying attention when a wife asks for her husband's cellphone records. Or a sloppy bank manager who leaves files open on his desk.
Or worse. Last winter, a huge computer hard drive belonging to Co-Operators Insurance Co. went missing for nine days. It contained the financial data of almost 180,000 life insurance and pension customers, information that could easily have been used to steal identities and commit fraud. The drive was found and no damage was done, but not before Co-Operators advised clients to be on "fraud alert" and set up a call centre to field queries from distressed customers.
Bank of Montreal had a similar near-miss last September: computers containing records that included customers' names, addresses, phone numbers and bank-account and credit-card balances were for sale on eBay for six hours before their content was discovered. A subcontractor, responsible for disposing of the old BMO computers, had sold them to an Ontario man without properly "scrubbing" them first. He discovered the error and the information was erased. But the vulnerability of electronic data - which is everywhere - was driven home.
The new law, called the Personal Information Protection and Electronic Documents Act, or PIPEDA, says organizations can only collect personal information for a stated reason - and can use it only for that purpose. Among others things, that means a company that supplies a service can't sell its list of subscribers to another company's marketing department. Individuals must be informed, and give their consent, before personal information is collected, used or disclosed. Canadians now have the right to see what data a company has on them, and to correct it. And a company can't withhold a service if a customer refuses to supply personal information - unless the company can show it is crucial to providing the service.
But most firms are unaware of the new law. "It's very unfortunate. Roll-out time is here now and awareness is lacking - it's been mired by the Radwanski affair," says Ann Cavoukian, the Ontario privacy commissioner, referring to the former federal privacy czar whose egregious expense-account excesses commanded so much attention last summer. In December, just weeks before the law came into force, Cavoukian told a breakfast meeting in Toronto that 81 per cent of small- and medium-sized businesses have "no idea" how they'll be affected. "It's mind-boggling to me," she said.
The obligations seem straightforward: get consent and use the information only for its stated purpose. But for larger companies that have data stored in many different divisions, half the battle is being aware of where all the information is kept, says John Walter of the Canadian Standards Association, which developed the model privacy code that eventually became PIPEDA. "I wouldn't say they're ignoring it, but the job is going to be bigger than they expect."
And there's confusion over which organizations might be exempt. Is a charity that shares its list of donors covered by the law? Is the practice of medicine a commercial activity? There are many transactions that fall into the grey zone, says Heather Black, Ottawa's assistant privacy commissioner responsible for the new legislation. "If you are in a grey area," Black says, "my advice is to err on the side of assuming you are covered." These questions will be answered as the law is tested, she says, adding: "It will shake down, but it will take time."
Queries to the marketing association illustrate some of the risks the law should eliminate. Through data mining, one CMA member discovered that a higher-than-average use of a non-prescriptive health product (Gustavson refuses to say which one) is correlated with a higher-than-average credit risk. In other words, a big buyer of Product X appears to be a lousy candidate for a loan, information that could lead to someone being refused a mortgage. Could the member use the list? No; it's illegal. Plus it would contravene the CMA's code, which, like the new federal law, calls on members to be clear about why information is collected - and to use it solely for that purpose.
Gustavson's main fear is that the law, which he says is reasonable now, could become more severe - and more onerous for companies - later on. "If business doesn't get it right, and there are horror stories about non-compliance, the law will only get tougher," Gustavson says.
Under the law, fines for infractions run up to $100,000. Tales of privacy breaches are currently posted on the federal commission's Web site without naming names, but that could change. "As time goes on, we will be naming companies," Black says. That threat could turn out to have more oomph than the fines. "The cost of a privacy meltdown is high," Cavoukian says. "It could hit a company's stock price and its reputation. Good privacy is good business. If customers believe you protect their personal information, you'll have their loyalty in spades."
Technology has made it easy to invade a person's privacy, says Black, but it can also help protect it. "As it becomes easier to do bad things with personal information," she says, "consumers are becoming less tolerant and more demanding of privacy protection." And the organization that abuses its clients' privacy is in peril.
Maclean's January 19, 2004