Nobody likes to talk about getting hacked. For one, it's embarrassing. And for companies, it's a quick way to lose customers' trust. It's why you rarely hear about data breaches or cyberattacks on big businesses unless the companies are forced to admit something happened.
But over the next few months, more Canadian companies will have to start speaking up, whether they like it or not — especially if the theft of personal information is involved.
Upcoming changes to Canadian privacy law and recent guidance from the Canadian Securities Administrators mean that Canadian companies will not only have to disclose more about cyberattacks than they have in the past, but be more proactive about disclosing specific risks that could lead to attacks in the future.
For Canadians, it should mean more insight into what companies are doing to protect your data. And if your data is lost or stolen, companies will have to tell you, or risk being fined. No more sweeping attacks under the rug.
Kevvie Fowler, KPMG's national leader of cyber response in Canada, says he expects to see the number of reported breaches "skyrocketing" this year as a result.
And with more known breaches, there will be more angry victims, meaning a likely increase in the number of companies being sued, Fowler says.
The hope is that more transparency will lead to better protections and fewer breaches in the long term. And "there should be a large amount of information that floods the internet from these organizations" this year, Fowler says.
Privacy law gets some teeth
"There are a significant number of breaches that never get reported because there's no obligation to report them," says Imran Ahmad, a partner at the law firm Miller Thomson, who specializes in cybersecurity.
But later this year that will start to change.
The short history is that in June 2015 the Canadian government passed the Digital Privacy Act requiring, among other things, that data breach notification and reporting regulations become part of Canadian privacy law.
The government expects to publish draft regulations "sometime in early 2017," according to an Innovation, Science and Economic Development spokesperson, but couldn't say when the final regulations will be published, or when they might come into force.
However, Ahmad, as well as others in the industry, say they expect the regulations to take effect by the fourth quarter of this year.
From then onward, organizations will have to log all breaches, and users will have to be notified of any breach that poses "a real risk or significant harm."
Typically, that would mean any information that could be used to commit fraud or pull off a social engineering attack — for example, names and addresses, credit card data, security questions and passwords, or past orders on an online shopping site. But it could also include information with the potential to humiliate or damage a person's reputation.
Failure to log a breach or notify users when required could result in a fine of up to $100,000, "a step in the right direction," Ahmad said, when it comes to giving the regulations some teeth.
Regulators get involved
The Canadian Securities Administrators (CSA), on the other hand, is doing its part to ensure that publicly traded Canadian companies are more transparent about their cybersecurity practices before they get hacked — and not just afterward.
Last month the CSA looked at how 240 publicly traded companies in Canada talked about cybersecurity in their financial filings — the potential impact of a cyberattack, information at risk, who handles the company's cybersecurity, and any disclosures of previous breaches or attacks.
The CSA found that 40 per cent of companies failed to address cybersecurity risks in their disclosures. And generally speaking, the CSA found that filings tend to use generic, boilerplate language — even though different types of companies face different types of cyberattacks or threats, and hold different types of data subject to varying degrees of risk.
For banks, Ahmad said, the big risk is phishing (fraudulent emails purporting to be from a legitimate source), while for an online store, it's a distributed denial of service (DDoS) attack — which are two different risks.
"Taking down the website of a manufacturer may not have the same impact on their operations as a DDoS attack on an e-commerce business," Ahmad said.
In its guidance note, the CSA says it expects issuers "to provide risk disclosure that is as detailed and entity specific as possible" and that it will be monitoring companies for compliance.
"I think the next step is probably going to be, what is the enforcement action for non-compliance?" Ahmad said. "We're not there yet, but that's where we're headed."