Data being comprised is indeed a cause of alarm for any of us. Besides, you don't know where and how your data may be used, until you find yourself perhaps entangled in a malicious incident.
In Canada alone, more data breaches have been recorded in the past 10 months than in the previous 10 years, federal government said. For the past 10 months of 2013 to 2014, there are 3,763 data breaches, with 6,318 people becoming victims by these breaches.
Details of data breaches came from the Canada Revenue Agency (CRA), which reported such problems for the first time.
"Government departments and agencies appear to be aware of the heightened public concern about breaches," the spokeswoman Anne-Marie Hayden for the privacy commissioner's office said.
Similar to other several federal department and agencies, the CRA's data breaches tracking came as a response and result to a number of high-profile cases that led to sensitive personal data of Canadians being put at risk. An example is the high-profile case of the missing portable hard drive from the Employment and Social Development Canada that contains social insurance numbers of 583,000 individuals.
Hit hardest by data breaches is the CRA with 2,983 cases or nearly 80 percent of the total recorded breaches in the current period. Of these, about 1,372 were privacy breaches. Around 120 of those breaches were results of stolen, lost and compromised information. However, the government clarified that 95 percent of the total breaches were fault of the taxpayer for misdirecting mail.
Next in line is the National Science and Engineering Research Council with 532 breaches, followed by the Employment and Social Development Canada with 223 breaches.
There were eight departments in the agency that reported the breaches to the privacy commissioners. Ten breaches have been reported to the privacy commissioner in 2009 to 2010, 109 reported breaches for the period of 2012-2013 and 219 reported breaches at least for the period of April 1, 2013 to Jan. 29, 2014.
Ten departments didn't report any of their breaches for some valid reasons.
The Treasury Board states three guidelines when privacy breaches need only be reported to the commissioner. One is when it involves sensitive, personal information, including financial or medical info and personal identifiers such as the social insurance number. Second is when it can bring about identity theft or other related fraudulent activities. Third is when it can cause harm or embarrassment to the person with an unfavorable effect on his career, financial position, reputation, health, safety or well-being.
In the past 10-year period, the federal government declared slightly over 3,000 breaches in total, based on the figures lately tabled in the Parliament, though data hasn't been stipulated for several agencies.
Another one is the Department of National Defence that refused to disclose the number of times classified info has been lost, for the reason that it's seen a threat to national security if they do.
The CRA appointed its first chief privacy officer (CPO) in April 2003, said Hayden. She didn't discount the possibility of oversight considering the broad coverage of the CPO in clamping down privacy violators or data breaches.
"While it's our view that the federal government generally does a good job of protecting personal information, it is clear that there remains room for improvement," she said.
Among the suggestions of the Official Opposition for improvement is an overhaul of federal privacy laws that includes making data-breaches reporting to the privacy commissioner a mandatory.
"This government is dragging its heels on doing what the privacy commissioner has been seeking, which is compulsory data breach notification," the NDP national revenue critic Murray Rankin said.
"They are being blasé with the privacy of Canadians and this is not trivial information. It is some of the most sensitive information that our government holds about us," Rankin added.
Questions arise as to whether the government can handle the load in investigating these data breaches once mandatory reporting really comes into effect.
"The impact on our office of any new breach reporting requirement would depend on a number of things, including what types of breaches had to be reported to us," Hayden explained.
