Identity theft and related fraud have become serious risks for individuals in the information age. Identity thieves gather sensitive personal information from a number of sources, and then use it to engage in fraudulent activities in the name of the victim, usually for financial gain. Sources of information include data brokers and other organizations that collect, hold and disclose such information in the course of their normal activities. As the number and size of personal information databanks grows, security breaches exposing customer information to unauthorized access and use are becoming commonplace. This White Paper argues for a Canadian law requiring that organizations notify individuals when their personal information has been compromised as a result of a breach of the organization's security. In particular, it calls for an amendment to the federal Personal Information Protection and Electronic Documents Act ("PIPEDA") to provide for mandatory notification of security breaches when certain types of personal information are exposed to unauthorized access as a result of a security breach.

Reprinted with Permission from CIPPIC, www.cippic.ca