Mark Goldberg


What is the “standard of care” for our personal data?

How do we ensure our private information is being properly safeguarded?

Every week, there seems to be news of another breech where a government agency or company loses control of personal information being held about their clients. We have seen lost health records, stolen financial data, hacked personal mail, travel plans, stolen photos, eavesdropping on conversations.

In some cases, data was lost due to negligence and sloppy handling. In other cases, criminal organizations exploited system vulnerabilities.

What is the appropriate standard of care that an organization should exercise when handling personal data? How should organizations respond when any kind of data loss is detected?

Those questions were the subject of a recent breakfast discussion I had with a colleague who tolerates me eating fried kippers for breakfast. I will note as an aside that Kiva’s Bagel Bakery Restaurant & Appetizer is one of the few remaining places I know of that has kippers available for breakfast every day. And they make a respectable bagel (for a Toronto bagel). Every so often, my colleague – let’s call him Brian (since that is his name) – and I get together at Kiva’s to try to resolve many of the world’s problems. For a few weeks, we have been looking at the issue of data breeches and wondering how we can get organizations in government and the private sector to take them more seriously.

Brian suggested massive fines and penalties for data losses in order to make sure the companies and government agencies take these losses seriously. I cautioned that an unintended consequence of Brian’s suggestion is that organizations might have a greater incentive to hide a loss, so there needs to be an element of balance in the compensation and penalties to be paid.

How do we assess blame? If you leave your keys inside an unlocked and running car, I don’t think you can claim you exercised a reasonable standard of care when it is stolen. Most of us could appreciate that we failed to reasonably secure the car and anything inside it.

Similarly, shouldn’t we expect reasonable safeguards for our information? How does a Chief Security Officer and Chief Privacy Officer attest to the Board of Directors, to Shareholders and to clients that their organization is securing customer records?

What is the “standard of care” that we should demand from organizations that hold our personal information?

Perhaps part of the annual audit process should certify that organizations are a step ahead, not a step behind, in safeguarding personal information.

The 2019 Canadian Telecom Summit, June 3-5 in Toronto, will have a session examining “Cyber Security: Protection, Pre-emption & privacy in the Age of Bad Actors” moderated by Christine Dobby of the Globe and Mail and including noted privacy expert Ann Cavoukian. Early bird prices are available for the next 4 weeks. Save by registering before Feb 28.

Comments are closed.