It seems completely unfair! If your Canadian credit cards are lost or stolen you are obligated to immediately inform credit card companies and banks in Canada. But these financial institutions aren't obligated to do the same if their security is breached and your credit cards are compromised. Now someone wants that imbalance corrected.

Canada's privacy watchdog wants full disclosure of Canadian credit card thefts

Jennifer Stoddart, Canada's privacy commissioner, wants Canadian companies to be required by federal law to notify their customers whenever a security breach takes place.

In my opinion, it's about bloody time!

And now Ms. Stoddart has some ammunition in her campaign when she appears next month before a parliamentary committee conducting its mandatory five-year review of the federal privacy act.

The Personal Information Protection and Electronic Documents Act (PIPEDA), in effect since 2001, does not require companies to notify individuals or the privacy commissioner's office when a breach occurs.

However, two massive computer breaches (as reported earlier by the Canadian Credit Center) now under investigation by the privacy commissioner have created the impetus for change.

The American-based head office for Canadian chain stores Winners and HomeSense reported that potentially millions of Visa, MasterCard, American Express and Discover credit card accounts had been compromised after hackers stole detailed customer information from the company's computers.

The identity thefts took place during the second half of 2006 and were finally discovered in mid-December, but multinational corporation TJX only reported the breach to Canadians, Americans and British consumers after the Christmas shopping season was over.

Last year, Canadian Imperial Bank of Commerce (CIBC) mutual fund subsidiary Talvest of Montreal also compromised the identities of 470,000 Canadians when it lost a computer backup file with personal and financial data. It was the second time in three years that confidential material had been mishandled. In 2004, Talvest disclosed that CIBC been inadvertently sending faxes containing private information to scrap yards in West Virginia and suburban Montreal ... for three years!

Reaction by Canadian credit card companies and banks in Canada to these breaches was varied. And that's the problem the privacy commissioner wants rectified.

For instance, Citibank cancelled customers' MasterCards that were compromised by the TJX breach but apparently did not warn these customers in advance of the cancellations.

One Maritimer, who wished to remain anonymous, discovered by accident that her MasterCard was dead, leaving her without a Canadian credit card for 7-10 days.

But the Royal Bank of Canada (RBC) simply placed its cardholders on an "enhanced watch list" tracking any suspicious transactions and unusual spending patterns after the TJX admission.

That why amending Canadian privacy laws will create a level playing field for all Canadians when their personal and financial identities are at risk.

A spokesperson for the Federal Privacy Commission explained that proposed legislation changes "will ensure we are able to help the companies deal with the problem and also that individuals can take the proper steps they need to take to protect their personal information."

It turns out many times, Canadian companies do the right thing and notify the privacy commissioner, but at this point it not required by law.

It's a different situation in the United States of America where more than half of US states legally require customers be notified when their personal information is compromised. Those who fail to follow the reporting requirements face stiff penalties, for example up to $150,000 in New York state.

Supporters of the new amendment, including the Canadian Internet Policy and Public Interest Clinic, (CIPPIC) argue that federal laws requiring organizations to notify individuals of security breaches will force those organizations to take security more seriously since every failure will become a public embarrassment. This deterrent could help reduce Canadian identity theft and other fraudulent uses of personal data in Canada.

The Information Technology Association of Canada (ITAC), whose members include BCE, Telus, Rogers, Microsoft, Nortel and Research in Motion, argues against mandatory notification because of the expense. It also suggests Canadians may start to ignore the notices, particularly if it is required after any breach, not only if there is a risk of fraud.

But it seems to me that if I'm obligated to take reasonable steps to protect my financial information and immediately inform Canadian banks and credit card companies if it's lost or stolen, it's only fair that all corporations in Canada be obligated to do the same for me. Any thing less than full disclosure every time is patently unfair.