Many B.C. businesses are still not complying with provincial protection of personal information legislation that took effect at the beginning of the year, say organizers of a seminar on cybercrime.

‘‘Here we are, six months into having to be compliant, and a lot of people aren’t even aware that the act exists,’’ said Paul King, life sciences director for Pacific Coast Information Systems, after speaking at the seminar in Vancouver last week.

Larry Munn

Under the B.C. Protection of Personal Information Act (PIPA), any business or non-profit organization must protect the personal information of customers, clients and its own employees by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying modification, disposal, or similar risks.

A business that fails to comply with the legislation will face an investigation, and a possible fine, from the provincial privacy commissioner’s office. The privacy commissioner may also award damages to a plaintiff.

No fines or damages have been handed out yet.

‘‘A lot of companies won’t comply unless they know someone is going to arrest them,’’ said King.

Before they comply with PIPA, many companies are waiting for the province to punish someone, so that they can see what the fine will be – and then adjust their security accordingly.

‘‘There are people that need that stick to make them do it, which is unfortunate,’’ said King.

They’ll be in for a rude awakening, he warned.

‘‘Some case is going to happen over the next little while and then, all of a sudden, companies are just going to scramble and then go out there and figure out how they’re going to comply,’’ said King. ‘‘The problem is that you’ve been accountable for this since January so, probably, companies have been collecting information without consent.’’ But the law does not say how information should be protected. Each business must determine the level of security required based on the sensitivity of the information and the degree of risk.

Organizations must also declare their purpose for collecting the data and limit their use and disclosure to those purposes. People whose information has been collected also have a right to see that data – and file a complaint if they feel the details should not be stored.

If a company no longer needs the personal data for business or legal reasons, it must destroy the files, including backups.

King said companies need to start doing a whole inventory of their data security measures and assess their vulnerability.

‘‘Most companies are not aware of what their current risk level is,’’ said King.

Most times, companies will add a security measure ad hoc, without examining how it impacts or interrelates with another system.

‘‘Get people together,’’ said King. ‘‘Get the executive support, get the project manager and get the people in the business who understand the information. Get them together and come up with an inventory of the hardware and software that you have. Prioritize how important it is to the organization, both from a business continuity point of view and, also, good business practices, but also where you are susceptible – such as PIPA.’’ Wireless networks are particularly vulnerable.

‘‘People can easily access with their (laptop), but then they don’t realize that anyone within 200 feet from that access point can actually get into their network,’’ said King.

Two weeks ago, driving in his car along Burrard Street in downtown Vancouver, King accessed 15 wireless networks – 13 of which were not secure.

‘‘The firewall is something people often will outsource to their Internet provider. There is a sense, ‘Well, someone else is looking after it, so they must be doing it well.’ You often want to bring in a third party just to go through it and make sure that is the case.’’ Based on reports, said King, companies should do some form of audit on their network every three to six months Larry Munn, a lawyer with Clark Wilson, said companies that do not take steps to protect their customers’ and employees’ personal information will be vulnerable to legal action. Businesses will likely face challenges on the type of information that is collected, improper disclosure and loss of information.

‘‘Privacy isn’t just what the government is telling you to do – it’s also good business,’’ said Munn.

Munn told the audience of 35 representatives from small, medium and large businesses that gaining consent to collect information is the key to avoiding problems.

It is an additional administrative cost for businesses, Munn acknowledged. ‘‘But I think most businesses should also look at it as an additional cost to ensure customer loyalty.’’ Ottawa has introduced similar legislation – the Protection of Person Information and Electronic Documents Act – but B.C.’s legislation takes precedence, said Munn.

But, Munn warned, B.C. businesses that collect information from people in the United States will have to make sure that they comply with the privacy law in the jurisdiction from which they’re gathering the data.

That means they’ll be complying with hundreds of different laws – because the U.S. does not have one piece of comprehensive privacy legislation. Alberta also has a comparable law that it developed in collaboration with B.C.