New rules for data breach don’t go far enough, critics warn
New provisions in Canada’s online privacy law will come into force on Thursday, requiring companies to quickly disclose security data breaches if they cause a risk of significant personal harm.
But critics, including Canada’s privacy commissioner, say that the new measures still don’t go far enough to protect citizens’ privacy. Under the new rules, Privacy commissioner Daniel Therrien said that he’ll get reports from companies that suffer privacy breaches, but that his office has yet to be allocated any additional funding to handle those reports. And his office is limited in terms of how it can respond. “What we cannot do is order companies to improve their security posture. So companies are free to accept our recommendations or not,” he said. “We think that we should have the authority, as regulators in Europe and the United States (do), to order companies to comply, to improve their practices, and to impose fines.” When the new section of the Personal Information Protection and Electronic Documents Act (PIPEDA) comes into force, companies will be required to keep internal records for all breaches and security safeguards for two years, and in cases where there is a risk of significant harm, companies need to report a breach to the Office of the Privacy Commissioner and to the people affected. As long as companies report their breaches, there are no financial penalties, which is something that Therrien isn’t thrilled about. “The odd nature of this is that there are very hefty fines for failing to report, but there are no fines for failing to have the security safeguards that would have prevented the breach from occurring,” he said.
As such, damage to reputation is the main risk for companies that get hacked or suffer other kinds of privacy breaches.
A lot of companies aren’t ready for the new PIPEDA requirements, according to Mark Sangster, vice-president of strategic marketing for Cambridge-based cybersecurity company eSentire. “I definitely think there’s a significant gap between understanding their obligation and being able to deal with it, and many of them may not realize that they have an obligation,” he said.