Michael Geist, in his latest Toronto Star column, argues that PIPEDA should be amended in line with California's example that requires companies to notify customers if the security of their personal information has been compromised:
TheStar.com - Revise privacy law to protect public, not offenders:
"... Recognizing that companies have an incentive to keep privacy and security breaches private, the State of California has adopted a law that requires organizations to publicly disclose privacy breaches to their customers. Although opposed by business, the law, known as SB1386, has proven wildly successful since its enactment just over 18 months ago.
The law requires companies and agencies that do business in the state, or possess personal information of state residents, to report breaches in the security of personal information in their possession. Companies must act quickly, notifying customers in writing, electronically, or by prominently posting the information on their website.
The law's impact on business practice has been dramatic. The State's Office of Privacy Protection recently surveyed California companies and found that 76 percent of surveyed companies changed their communications polices as a result of the new law; about one third of the surveyed companies changed security procedures; and almost half changed the way they used social security numbers (the U.S. equivalent of Canadian social insurance numbers)..."