New data breach rules not strong enough, critics argue
New provisions in Canada’s online privacy law will come into force on Thursday, requiring companies to quickly disclose security data breaches if they cause a risk of significant personal harm.
But critics, including Canada’s privacy commissioner, say that the new measures still don’t go far enough to protect citizens’ privacy.
Under the new rules, commissioner Daniel Therrien said he’ll get reports from companies that suffer privacy breaches, but that his office has yet to be allocated any additional funding to handle those reports.
And his office is limited in terms of how it can respond.
“What we cannot do is order companies to improve their security posture. So companies are free to accept our recommendations or not,” he said.
“We think that we should have the authority, as regulators in Europe and the United States (do), to order companies to comply, to improve their practices, and to impose fines,” Therrien said.
When the new section of the Personal Information Protection and Electronic Documents Act (PIPEDA) comes into force, companies will be required to keep internal records for all breaches and security safeguards for two years, and in cases where there is a risk of significant harm, companies need to report a breach to the Office of the Privacy Commissioner and to the people affected.
As long as companies report their breaches, there are no financial penalties, which is something that Therrien isn’t thrilled about.
“The odd nature of this is that there are very hefty fines for failing to report, but there are no fines for failing to have the security safeguards that would have prevented the breach from occurring,” he said.
“There could be actions in the civil courts by individuals whose data was disclosed improperly for any damages incurred, but that of course is very costly.”
As such, damage to reputation is the main risk for companies that get hacked or suffer other kinds of privacy breaches.
Famously, that’s what happened to Ashley Madison, the dating service that sold itself as a way for married people to discreetly find partners for affairs, but that in 2015 suffered a breach affecting customer data for more than 30 million users.
Ruby, the firm that owns Ashley Madison and two other dating services, is still in business, and Matthew Maglieri, chief information security officer for the firm, said they’ve implemented industry-leading security measures since the hack. But Maglieri, who joined Ruby in 2017, years after the breach, said the threat of reputation damage alone isn’t enough to get companies to change their ways.
“It’s an unfortunate fact that for many organizations it takes an incident to really spur the organization to take the action and investment necessary to really build a security program that’s in line with the threat landscape,” Maglieri said. “As security professionals, we often struggle within our organizations to get investment, to get the backing of our leadership teams and our boards.”
A lot of companies aren’t ready for the new PIPEDA requirements, according to Mark Sangster of cybersecurity company eSentire.
“I definitely think there’s a significant gap between understanding their obligation and being able to deal with it, and many of them may not realize that they have an obligation,” he said.
Sangster said the new rules are a step in the right direction, but because there’s no specific timeline for how quickly they need to inform the people affected by the breach, that leaves a lot of ambiguity.
“There has to be a certain sense of urgency because on the flip side, you’ve got Equifax which did affect Canadians and about 50 per cent of the U.S. population, and initial notifications occurred months after they determined something happened,” Sangster said.