Media coverage is still what prompts several Canadian organizations to respond effectively to data breaches, not the country’s privacy legislation, according to KPMG’s Imraan Bashir.
Some of the more embarrassing mishandling of private information in recent years – Bashir couldn’t point out the stories or companies specifically – were pushed aside until the media got hold of it.
Bashir, partner and national leader of public sector cybersecurity, maintains that unless there’s a colossal reset around how businesses in both the public and private sector view people’s data, it will end up exposed or in the wrong hands. Organizations that sidestep responsibilities are losing the public’s trust fast.
“And the level of trust towards one company versus the other is dramatically different,” Bashir said, referring to a KPMG study that shows 84 per cent of people would take their business elsewhere if a company failed to keep their data safe.
This lack of trust has led to multiple stern warnings from Canada’s privacy commissioner Daniel Therrien over the years. The most recent one came in 2020 when he said Canada’s privacy laws governing the public and private sectors need a serious facelift.
Data protection rules are nothing if they aren’t enforced, says Canadian privacy official
“Back in May 2019, the crisis of trust led the federal government to propose a Digital Charter, which includes plans to update PIPEDA. The government has since reiterated its intent to reform both PIPEDA and the Privacy Act,” Therrien noted in his 2019/2020 annual report. “More than a year later, we have yet to see the specific ways in which our legislative framework would be modernized to live up to the challenges of the digital age – and to Canadians’ expectations.”
Sylvia Kingsmill, KPMG’s national partner and privacy, regulatory and risk consulting expert, warns that Canada can’t be stagnant when modernizing privacy legislation.
“Technology doesn’t keep pace with static legislation,” she told the publication.
Last November, the Canadian government announced changes to existing legislation and wrapped it under a new Digital Charter Implementation Act (Bill C-11). One of the most notable changes was that the federal privacy commissioner gaining the ability to recommend companies be fined for not complying with updated and stiffer privacy legislation.
Some provinces have also grown impatient and are moving forward with updating their privacy laws, Kingsmill points out. Quebec, for example, introduced Bill-64, which is meant to bring its privacy laws more in-line with the General Data Protection Regulation.
Bashir also highlighted the CIO Strategy Council’s efforts to develop standards around the use of emerging technologies. Those efforts have culminated in new Canadian National Standards, such as the National Standard of Canada for third-party access to data and the ethical design and use of automated decision systems. KPMG is closely tied to these standards’ ongoing development, and Bashir says he hopes to see these standards reflected in future legislation or used to amend current ones.
The more organizations leverage these standards when implementing technologies into their business, he says, the wider their safety net becomes when asked to explain why it was implemented and how. And when a data breach does occur – and it will – these standards can also help the organization report those breaches more effectively thanks to a better understanding of who has access to data and why.
“I think standards are useless if they’re just sitting on a shelf,” he said.
Private sector reporting way more cyberattacks
The Office of the Privacy Commissioner of Canada (OPC) states that under the Canadian Privacy Act – which governs how the federal government handles personal information – it accepted 341 breach reports last year, an increase from 155 a year prior. But don’t let the numbers fool you.
“While the number of institutions that reported breaches to our office increased from 29 to 34 this year, this number represents less than 14 per cent of the approximately 250 organizations that are subject to the Privacy Act,” Therrien explained in his annual report.
In 2019-2020, the OPC says it received 678 breach reports under the Personal Information Protection and Electronics Documents Act (PIPEDA), affecting an estimated 30 million Canadian accounts. That’s more than double the number of reports it received during the previous year and six times the amount received the year before breach reporting became mandatory for PIPEDA in 2018.
Breach reports received from three industry sectors accounted for 50 per cent of all breach reports the OPC received in 2019-2020, with 19 per cent from the financial sector, 17 per cent from telcos, and 14 per cent from sales and retail.
But what’s most puzzling about the private and public sectors’ breach reports is the discrepancy between reported cyberattacks. In his annual report, Therrien couldn’t explain why so few privacy breach reports from federal institutions mention cyberattacks. For 2019-20, the public sector indicated that less than two per cent of all reported breaches involved a cybersecurity event. Under PIPEDA, that number goes up to 42 per cent, and almost all of those breach reports mention malware, ransomware, social engineering and other intrusion methods.
“It is unclear why there is such a significant discrepancy between the numbers,” Therrien wrote.
Bashir and Kingsmill don’t have answers either.
The ongoing confusion of what is deemed “sensitive material” during a breach and what could lead to the reasonable expectation of injury or harm – two criteria that need to be met when public sector organizations inform affected individuals and the privacy commissioner’s office – are likely contributing factors to this puzzle, indicated Kingsmill and Bashir.
“The threshold is very high,” the two noted in a follow-up email response. “The information must be sensitive, expected to cause either serious injury or harm or involve a large number of people, neither of which are concretely defined, leaving a lot of room for discretion for the reporting party.”
It doesn’t help, they added, that the Privacy Act doesn’t legally require the mandatory disclosure reporting of breaches.
Clarification: A previous version of this story quoted Imraan Bashir saying breaches over the past year were still sometimes “swept under the rug.” The exact quote was “others who try to hide it or sweep it under the rug …” are met with a different level of public trust than those who don’t. IT World Canada apologizes for the error.