Reports of data breaches in Canada will “skyrocket” this year, Kevvie Fowler, KPMG’s national leader of cyber response in Canada, has predicted to the CBC.
Upcoming changes in Canadian privacy law, as well as guidance from the Canadian Securities Administrators (CSA), will force companies to be more transparent about cyberattacks than they have in the past, as well as outline the risk for potential compromised data in the future. The Digital Privacy Act, passed in June 2015, requires data breach notification and reporting regulations to become part of privacy law.
The Act was supposed to take effect in “early 2017,” according to the government, but industry experts expect this to happen by the fourth quarter of the year. Following that, organizations will now have to log all breaches and notify users of any breach that could pose “a real risk or significant harm.”
“There are a significant number of breaches that never get reported because there’s no obligation to report them.”
This could include letting users know about compromises in information such as names and addresses, credit card data, previous online shopping orders and security questions and passwords. Failure to handle these breaches accordingly can result in fines of up to $100,000 CAD.
Imran Ahmad, a partner at the law firm Miller Thomson, who specializes in cybersecurity, said that this change in law has been needed for some time now. “There are a significant number of breaches that never get reported because there’s no obligation to report them,” he told the CBC.
For its part, last month, the CSA looked at how 240 companies in Canada talked about cybersecurity in their financial filings. This included investigating the companies’ disclosures of previous hacks, who is responsible, increasing security for the future and how they will do it, etc. Overall, the CSA found that 40 per cent of companies failed to address cybersecurity risks.
The CSA says it expects issuers “to provide risk disclosure that is as detailed and entity specific as possible.” It will monitor if companies are actually doing this, with the next step being looking into “enforcement action” for those that do not comply.
Privacy has been a particularly hot topic in Canada this month, with CSIS admitting it’s unsure how many Canadians were affected in its illegal data collection program.
Image credit: Flickr – Blogtrepreneur