Cybersecurity experts are worried that the increased frequency of data breaches is becoming normalized by the public, reducing the pressure on organizations that handle private data to do better.
“It’s clear that this happens to many major companies, even those who invest heavily in security. I don’t want to say that it’s inevitable, because it’s not, but there is an aspect of frequency to this, that is really startling,” said Ira Goldstein, the chief operating officer at Herjavec Group, in an interview with IT World Canada. “I think there’s kind of a societal and philosophical angle to that where people are becoming quite desensitized to it.”
Mark Nunnikhoven, vice-president of cloud research at Trend Micro, said that such a desensitization is one of his biggest fears and the worst-case result of cybersecurity breaches like the one at Capital One Financial Corp., which exposed the private information of around 100 million people in the U.S., and 6 million Canadians.
Desensitization among the public could also reduce their motivation to lobby for stronger laws and regulations.
“That is what I’m scared of. You can’t go a week without opening one of the major national papers and seeing a breach somewhere. It is very easy to become desensitized to, especially in an area as complex as technology. That is an issue so vast and complex that it’s easier just to say ‘that’s just how it is’,” said Nunnikhoven in an interview with IT World Canada. “There’s a lot of things that organizations can do to strengthen their security to reduce the number of data breaches that there are. But without that demand from the people and that big stick from regulators, it’s unlikely they’re going to undertake that of their own accord.”
While Canada does lag behind regulatory leaders like Europe’s General Data Protection Regulation (GDPR), the federal government did recently implement a new Digital Privacy Act (DPA) that amended the Personal Information Protection and Electronic Documents Act (PIPEDA) to include regulations that dictate how organizations must report such breaches, although many in the channel community said these new regulations were too vague to have a true impact.
But these updated policies, according to Goldstein and Nunnikhoven, don’t include enough financial penalties.
Referencing the maximum penalty under the GDPR of 6 per cent of global revenue, Nunnikhoven said that “money talks” and called for additional penalties to be levied against offending Canadian organizations.
“That really highlights the biggest weakness in Canadian data privacy regulation. In general, we’ve done a decent job about it. Finally, the nuts and bolts are put in place,” said Nunnikhoven. “The challenge there is that the fines aren’t nearly big enough. We need financial incentives to align security interests of citizens with those of the business. And I think that’s the glaring part.”
And with a much lower maximum threshold for fines in Canada than in Europe, Goldstein worries that organizations, especially those who rely on the collection and leveraging of people’s data, will not take them seriously.
“With fines up to $100,000, it can be seen as a cost of doing business as opposed to a real penalty that drives behavior.”