by David Loukidelis, Information and Privacy Commission of British Columbia

Identity theft, which increases significantly every year, involves misuse of an individual’s personal information to impersonate someone for gain. Criminals are increasingly using discarded credit card receipts, loan applications and similar records containing personal information to exploit innocent individuals’ personal information, for example, by obtaining credit cards and false ID. Meanwhile, technological developments have facilitated the aggregation and sharing of large amounts of personal information, making databases increasingly tempting to thieves who exploit security vulnerabilities to hack into systems. There are signs that businesses, aware of the cost to their customers and their brand reputation, are investing in IT and business process fixes for security vulnerabilities.

Businesses are responding with data security measures in order to protect customers, and the business’s reputation. And since 2004, the Personal Information Protection Act (PIPA) has required the provincial private sector to take reasonable measures to protect personal information against unauthorized use or disclosure.

An organization that fails to meet this duty is subject to investigation by the Office of the Information and Privacy Commissioner (OIPC), which can order correction of defective IT or business practices and can order other steps to be taken. And a customer who has suffered loss can, having obtained a ruling from the OIPC, sue for damages in the Supreme Court.

Apart from these formal consequences under PIPA, organizations should also remember that loss of reputation can be very costly. Poor information security practices have been the subject of well-publicized recent investigations and rulings in Alberta and Ontario, doubtless to the chagrin of the businesses involved.

Businesses should have assessed by now, in light of the sensitivity and extent of their information-holdings, whether they have implemented reasonable protection measures. The analysis will be advanced by considering accepted good practices in the private sector and relevant technical information security standards such as ISO17799 or COBIT.

More prosaically, any organization outsourcing functions dealing with personal information should implement a diligent performance-monitoring and enforcement program. Privacy is not a fire-and-forget thing when businesses outsource functions to service providers. A recent decision under Ontario’s new health privacy law confirmed that an organization that has outsourced personal information management must actively monitor and enforce its service provider’s privacy-related performance or risk being held responsible for contractor defaults.

Lawyers are well placed to serve their clients by helping them understand and come to grips with their privacy responsibilities under PIPA, including duties relating to protection of personal information from misuse. Lawyers should also remember that PIPA applies to them directly and ensure that their own houses are in order regarding the privacy front.

This article was published in the December 2005 issue of BarTalk and is subject to the copyright by the British Columbia Branch of the Canadian Bar Association, 2005, all rights reserved.