Data breach notification in Canada

2011 was declared the Year of the Data Breach. It was overshadowed by 2012’s cybercrime exploits. Then 2013 broke all records and this year has been a relentless succession of game-changing vulnerabilities that have destabilized the very fabric of Internet communications, cast a shadow on the prospects of the innovative potential of the Internet of Things, all the while leading an already desensitized public to the brink of fatigue.

Canadian data breach system and response not in place
According to research by, despite dozens of high profile breaches victimizing hundreds of millions, public awareness of cybercrime is at an all-time low, with only two being top of mind, irrespective of impact or damage. (

During my recent visit to the SecTor security conference I was treated to a virtual carnival of exceptional exploits, interesting technologies and top-tier presenters. Many of these traveled from far and wide to share their passion and wisdom, often with detailed statistical data to back up their key points.

The more sessions I attended, the more it became clear that access to news and security breach information invariably originates south of the border, is sourced overseas or from government disclosures. Despite the central Toronto location of the event, the elephant in the room invariably was the lack of Canadian data and visibility into the latest breaches, even from an aggregate perspective. The Canadian private sector’s ability to gauge its own exposure to risk is limited to heresay and in many cases, to a false sense of security.

Speaking of statistics, I personally meet with about a dozen prospective clients each month and keep track of their feedback and attitudes towards risk. In doing so, I found that approximately half of IT managers and two-thirds of business owners truly believe they have never been hacked because they are effectively impermeable to all malicious attacks. This perceived invulnerability is a cyclical argument that helps to persuade Canadian businesses they’re doing a fine job of protecting sensitive and customer data despite not being able to quantify neither the number of attacks nor the degree to which their information assets are exposed.

A full decade after the rollout of PIPEDA without the requirement for breach notification, this situation has placed our country at a disadvantage globally, exposed Canadian organizations to incalculable risk and created a haven for organized cybercrime. According to the RCMP and CISC (Criminal Intelligence Service Canada), a whopping 672 organized crime groups are currently costing the economy 6 billion every year.

Despite the cold, hard numbers – such as they are – the situation is far from intractable. Although we lack the numbers, the visibility afforded by our own research shows that a large percentage of organizations fortunate enough to detect a breach do the right thing and notify affected individuals.

In addition, Bill S-4, the proposed amendment to PIPEDA is still being considered as its likely successor, bringing with it not only mandatory notification but also significant fines for failing to comply. According to a recent Ponemon study, 77 per centĀ of consumers demand to know when they’ve been hacked, rating data breach notification as a very high priority.

Best of all, if and when it does kick in, Canada will already have had some practice with different approaches to informing potential victims thanks to Alberta’s existing Personal Information Protection Act (PIPA) and 3 other provincial laws specific to personal health information.

But wait, you say, that’s fine for government agencies and some private sector organizations that have been shamed into it, but how does an organization actually prepare for breach notification? How does anyone respond to a data breach? Assuming your organization has taken steps to invest in detective and monitoring controls to increase the chances of breach detection (which is not a trivial undertaking, but fundamental requirement nonetheless), knowing what to next can mean the difference between expensive, public ridicule and any number of outcomes with a controlled degree of damage.

Without getting technical, here is a concise list of simple to-dos for Canadian managers to adopt when the prospect of contacting data owners looks like it might become a harsh reality:

  1. Discuss the process and its implications at the highest levels of the organization, well ahead of time.
  2. Take stock of existing compliance requirements and leverage the ability to detect breaches to determine when to investigate, when to resume operations and when to report. Ensure the integrity of the data in your incident management process.
  3. Ultimately, the decision to notify rests with management. Ensure that everyone understands the impact of the breach, the need to notify (or not) and the impact of different approaches. Review policies and tighten your shoelaces. You will need everyone to be on the same page at every step.
  4. Anticipate questions and determine the degree to which you may volunteer information before the investigation is complete. Insufficient visibility into the event will further erode public trust. Too much disclosure will undermine efforts and limit future options.
  5. Notify law enforcement and the Privacy Commissioner early on. They will ensure that your process is sound and offer valuable guidance for incident response and evidence handling.
  6. Document every step of your decision process leading up to the actual communication. If no plan exists, create one and communicate it to all key stakeholders. Data breach communications can have a very disruptive effort on the organization and its productivity. Allocate human and technology resources wisely.
  7. Offer ample support to affected individuals and document every step along the way. You will need it.

Ultimately, regardless of breach notification law, management and C-level executives make the go/no go decision to inform victims or communicate with the public. Making data breach preparedness a continuing priority can go a long way towards strengthening the company’s image and having the confidence that your organization and its people will be able to handle disruptive events with due care and professionalism. It’s an important decision and one that can make the difference between suffering reputation damage or building a stronger brand based on trust and respect.