Professional services advisory firm KPMG has commented that Canadian businesses respond immediately to data breaches – but only when the incidents get reported by the media, and not because legislation compels them to do so.
According to Imraan Bashir, KPMG partner & national public sector cyber leader, several of the more notable data breach incidents in recent times were pushed aside by the affected companies until the news about them went public.
Bashir also told IT World Canada that unless there is a “colossal reset” around how businesses, both in the public and private sector, view people’s data, the data will end up exposed or stolen by hackers. He added that organizations that try to sidestep their responsibilities regarding privacy security reporting are rapidly losing the public’s trust.
“And the level of trust towards one company versus the other is dramatically different,” Bashir said, citing a KPMG study which found that 84% of people would take their business elsewhere if a company failed to secure their data from hacking or breaches.
Canada’s laws also have to change and must be enforced in order to improve data protection policies, commented KPMG national partner & privacy, regulatory and risk consulting expert Sylvia Kingsmill.
“Technology doesn’t keep pace with static legislation,” Kingsmill told IT World Canada.
Last November, the federal government announced changes to legislation through a new Digital Charter Implementation Act. One of the key changes introduced by the law was that the federal privacy commissioner can recommend whether a company should be fined for not complying with the new privacy legislation.
Kingsmill also noted that several provinces have also similarly updated their privacy laws, such as Quebec.
Bashir added that the chief information officer’s Strategy Council has been developing standards around the use of emerging technologies. Those efforts have led to the development of new Canadian National Standards, such as the National Standard of Canada. If more organizations use these standards when implementing technologies in their businesses, the standards can help them report breaches more effectively, he said.
“I think standards are useless if they’re just sitting on a shelf,” Bashir prefaced.
Both Bashir and Kingsmill told IT World Canada that there are discrepancies in breach incidents reported to the federal privacy commissioner between the public and private sector, suggesting confusion over what constitutes as sensitive information when reporting a breach.
Commissioner Daniel Therrien revealed in his annual report that for the 2019-20 period, there were few privacy breach reports from federal institutions that mention cyberattacks as the cause. In fact, the public sector indicated that less than 2% of all reported breaches involved a cybersecurity event. By comparison, 42% of private sector data breaches reported under the Personal Information Protection and Electronic Documents Act (PIPEDA) indicated a cybersecurity cause, and nearly all those breach reports mentioned the involvement of malware, ransomware, social engineering, and other intrusion methods.
The two KPMG experts have also noted that the current version of the Privacy Act does not legally require companies to report any breaches they experience.