Serious penalties for data breaches unlikely in Canada, experts say
Responsibility mostly falls to citizens seeking redress through civil lawsuits
TORONTO The six million Canadians who had their personal information compromised in the Capital One data hack might get some sort of compensation eventually, but they shouldn’t hold their breath, according to industry experts.
Unlike in the United States and Europe where governments have stepped up enforcement and moved to impose massive fines on companies who mishandle personal data, Canada’s laws just aren’t set up that way.
In Canada, the responsibility mostly falls to private citizens seeking redress through civil lawsuits, according to Aaron Shull, managing director and general counsel for the Centre for International Governance Innovation, a Waterloo-based think-tank focused on global innovation policy.
“There’s too much onus resting on the individual,” Shull said. “The status quo of the way we do data breach enforcement in this country is not sustainable.”
This week, Capital One announced that a hacker had breached their cloud data systems and stolen personal information tied to 100 million American customers and six million Canadian customers. The FBI has arrested Paige A. Thompson, who allegedly carried out the breach.
Of the Canadian customers, roughly one million social insurance numbers were stolen.
In Canada, both the Office of the Superintendent of Financial Institutions and the Office of the Privacy Commissioner (OPC) have indicated that they’re looking into the incident.
But industry experts say that Canada’s privacy enforcement is mostly toothless, and if the Capital One breach is anything like the last two major privacy breaches, it’s unlikely that there will be serious penalties here.
Last month, credit reporting agency Equifax reached a settlement with the U.S. Federal Trade Commission (FTC) that includes up to US$700 million in penalties, including payments of $125 directly to customers who were affected.
In Canada, the OPC investigated and made recommendations. Equifax accepted most of what the OPC put forward but refused on one of the recommendations — to offer Canadians a “credit freeze” product to prevent scammers from fraudulently checking victims’ credit scores.
While the company offered four years of credit monitoring for Canadians affected by the breach, the company didn’t have to pay a fine.
Facebook, too, has escaped relatively unscathed in Canada. While the social media giant was hit with a US$5 billion penalty as part of a settlement with the FTC for various privacy missteps, it disputed the validity the OPC’S finding that it broke Canadian privacy law in relation to the Cambridge Analytica scandal, and refused to accept the commissioner’s recommendations.
“We have made a number of recommendations to address these problems. Facebook has declined to implement them. This situation highlights serious weaknesses with our current privacy protection framework,” Commissioner Daniel Therrien said at the time.
“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions.”
Ira Goldstein, chief operating officer with cybersecurity firm Herjavec Group, said that some forms of compliance certification are important to companies, but most businesses aren’t really worried about the Personal Information Protection and Electronic Documents Act, the main privacy legislation in Canada.
“I can tell you that the operators of the companies in Canada probably aren’t sitting around saying, ‘I hope we don’t get that $100,000 fine from PIPEDA,’” Goldstein said.
“They don’t want to be in the news, and they don’t want negative brand impact, but is that really a deterrent, or is that really an encouragement for them to spend more on security? I don’t think it is.”