Friday, January 05, 2007

Une obligation de denoncer une fuite?

Un article de Mary Kirwan dans le Globe&Mail m'a informé à propos d'un débat (dont j'ignorais l'existence) devant le Comité permanent de l’accès à l’information, de la protection
des renseignements personnels et de l’éthique
dans le cadre de la révision de la Loi sur la protection des renseignements personnels et les documents électroniques (aka PIPEDA).

Comme elle l'écrit:

One of the issues for debate is the absence of a security breach reporting requirement in the act, an obligation on the part of covered entities — most government and private sector players are covered — to let you know if the security of your personal data has been breached in Canada.

Unlike most U.S. states, where security-breach reporting laws have proliferated in the wake of a spate of highly publicized breaches in 2005 and 2006, we in Canada rarely get to hear about instances where the security of our personal data has been compromised unless the press gets wind of it or a whistleblower spills the beans. It is, alas, far less likely that a company will decide of its own volition to reveal the bad news. Fears about negative publicity, customer anger and regulatory disapproval have made for some very tight lips in corporate Canada, and indeed in many government circles.

Pour en avoir discuté avec des collègues dans les contentieux américains, le "reporting", comme il l'appelle, requiert des équipes complètes. En fait, plusieurs autres obligations de rapport pèsent sur les entreprises américaines.

Malgré cela, je partage le commentaire de Mme Kirwan à l'effet que:
I tend to suspect the worst. The ability to cover up data security breaches simply encourages complacency and rewards incompetence.

Par ailleurs, la plus grande vérité de son article, et la plus effrayante, est la suivante:
There is also the uncomfortable fact that despite the much-heralded influx of sophisticated criminals into the arena, many attackers are still pimply-faced teenagers, with automated hacking tools.

If companies packed to the gills with highly paid executives with fancy degrees can't hold the fort against your next-door neighbour's dysfunctional kid, you might well ask: Who is in charge of the henhouse? And do we desperately need a changing of the guard?

No comments: