New privacy rules will force Canadian companies to disclose data breaches

New privacy rules designed to better safeguard the personal data of Canadians and let them know when it has been breached kick in today, but even security experts say they are far from perfect.

Experts say rules don't go far enough

The new PIPEDA rules will force companies to disclose it faster to their customers when there has been a breach. (Jim Urquhart/Reuters)

New privacy rules designed to better safeguard the personal data of Canadians and let them know when it has been breached kick in Thursday, but even security experts say they are far from perfect.

The legislation, known as the Personal Information Protection and Electronic Documents Act (or PIPEDA) does a lot of things, but most importantly from a consumer's perspective, it requires Canadian companies to alert their customers any time their personal information may have fallen into the wrong hands.

Much of the law is aimed at preventing breaches in the first place, but as of now, companies big and small are required to notify the office of the Privacy Commission of Canada any time there's "a real risk of significant harm to an individual" from a security breach, even if the exact terminology of what constitutes a breach will still be open to interpretation.

Among the new rules are a requirement that companies must keep accurate data about cybersecurity safeguards for two years following, in case breaches are revealed down the line. The law also calls for "appropriate" digital safeguards at all parts of the business, including dealings with third party contractors.

The rules call for stiff penalties, too — up to $100,000 per violation — a sum that should be enough to frighten many businesses into updating their IT infrastructure. But many will have problems complying with the new rules, partly because of a lack of awareness.

"The vast majority of business owners don't know that this is happening," says Monique Moreau, a vice-president at the Canadian Federation of Independent Business. "Among all the changes and government regulations," she says, "data breach reporting requirements are not going to be top of the list."

She gives the example of a theoretical local, small business such as a bicycle shop, that likely emails its existing customers a few times a year, to alert them of new sales. Previously, that store likely didn't have to think very much about what email service they were using, or where the credit card data was being stored from any sales they conducted online.

"But now these guys are going to take the fall because the email service they were using got hacked," she says.

"They are going to learn the hard way if something happens."

Rick Costanzo is CEO of Rank Software, an Ottawa-based digital security firm that helps companies stay ahead of cyber threats. While he agrees that far too many companies have ignored data breaches for too long at their peril, that isn't the case for everyone. In the past 10 months he says his company's revenues have more than doubled, and he says the looming PIPEDA rules are "a significant reason why customers are reaching out to us."

"Because it's not a question of if, it's a question of when you're going to get hacked."

While the privacy commissioner's office calls the new rules a step in the right direction, even they think the rules don't go far enough — mainly because the office hasn't been granted powers and resources to enforce them.

By the letter of the new law, the commissioner's office can only advise organizations to make changes, not penalize companies for failing to comply or alert their customers. 

The law is full of imprecise language, such as alerting Canadians that their data has been exposed only "as soon as feasible" after a "real risk" of "significant harm" has been detected, which makes it likely some incidents will be reported too slowly or not at all.

Canadian companies spent $14 billion on cybersecurity last year, but one in five of them was still hit by a breach. (Damien Meyer/AFP/Getty Images)

In a release last month, the office of Privacy Commissioner Daniel Therrien says recent data breaches such as the Equifax hack and events at Cambridge Analytics have made these issues top of mind for Canadians, but lawmakers haven't followed up that concern with concrete action.

He's asking for the government to increase his $24 million annual budget by half, money that would go to hire more people to analyze and investigate the influx of breach reports they're expecting.

"There's no need to further debate whether to give my office new powers to make orders, issue fines and conduct inspections to ensure businesses respect the law," Therrien said.

Ale Brown, who provides privacy advice to North American companies in a range of industries through her Vancouver-based firm Kirke Management Consulting, says some companies have been proactive on the file because they see the danger. But the majority have ignored it as long as they can.

"In my experience, what I have found, is that companies do something when they see their bottom line threatened."

With files from The Canadian Press