?Nobody likes to talk about getting hacked. For one, it’s embarrassing. And for companies, it’s a quick way to lose customers’ trust. It’s why you rarely hear about data breaches or cyberattacks on big businesses unless the companies are forced to admit something happened.Movie Fifty Shades Darker (2017)
Upcoming changes to Canadian privacy law and recent guidance from the Canadian Securities Administrators mean that Canadian companies will not only have to disclose more about cyberattacks than they have in the past, but be more proactive about disclosing specific risks that could lead to attacks in the future.
For Canadians, it should mean more insight into what companies are doing to protect your data. And if your data is lost or stolen, companies will have to tell you, or risk being fined. No more sweeping attacks under the rug.
And with more known breaches, there will be more angry victims, meaning a likely increase in the number of companies being sued, Fowler says.
The hope is that more transparency will lead to better protections and fewer breaches in the long term. And “there should be a large amount of information that floods the internet from these organizations” this year, Fowler says.
“There are a significant number of breaches that never get reported because there’s no obligation to report them,” says Imran Ahmad, a partner at the law firm Miller Thomson, who specializes in cybersecurity.
But later this year that will start to change.
The short history is that in June 2015 the Canadian government passed the Digital Privacy Act requiring, among other things, that data breach notification and reporting regulations become part of Canadian privacy law.
The government expects to publish draft regulations “sometime in early 2017,” according to an Innovation, Science and Economic Development spokesperson, but couldn’t say when the final regulations will be published, or when they might come into force.
Typically, that would mean any information that could be used to commit fraud or pull off a social engineering attack — for example, names and addresses, credit card data, security questions and passwords, or past orders on an online shopping site. But it could also include information with the potential to humiliate or damage a person’s reputation.
Failure to log a breach or notify users when required could result in a fine of up to $ 100,000, “a step in the right direction,” Ahmad said, when it comes to giving the regulations some teeth.
The Canadian Securities Administrators (CSA), on the other hand, is doing its part to ensure that publicly traded Canadian companies are more transparent about their cybersecurity practices before they get hacked — and not just afterward.
Last month the CSA looked at how 240 publicly traded companies in Canada talked about cybersecurity in their financial filings — the potential impact of a cyberattack, information at risk, who handles the company’s cybersecurity, and any disclosures of previous breaches or attacks.
The CSA found that 40 per cent of companies failed to address cybersecurity risks in their disclosures. And generally speaking, the CSA found that filings tend to use generic, boilerplate language — even though different types of companies face different types of cyberattacks or threats, and hold different types of data subject to varying degrees of risk.
For banks, Ahmad said, the big risk is phishing (fraudulent emails purporting to be from a legitimate source), while for an online store, it’s a distributed denial of service (DDoS) attack — which are two different risks.