Canadians are frequently warned about safeguards they’re meant to take with their personal data online, like avoiding phishing scams, and creating secure passwords.
But sometimes, the safety of your online information is outside of your control. And what the companies have to tell you about your digital safety isn’t always clear.
Some estimates peg the global economic cost of cybercrime at up to US$600 billion. As cyber attacks become more sophisticated, the targets of those attack are, increasingly, large companies.
Canadian businesses reportedly forked out $14 billion to prevent, detect and recover from cyber security incidents in 2017, less than one per cent of their total combined revenues, according to Statistics Canada‘s first ever report measuring the impact of cybercrime on Canadian businesses.
“It doesn’t matter if the breach affects one person or many. Documentation is required and compliance with new regulations is important,” says Carole Piovesan, an associate at McCarthy Tetrault, and the co-head of the firm’s national cybersecurity, privacy and data management group.
Beginning November 1, organizations subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) must report data breaches affecting Canadians to the Office of the Privacy Commissioner of Canada (OPC) that involves personal information that poses a “real risk of significant harm” (RROSH) to individuals. Organizations must also give notification to affected consumers as soon as it is feasible. These provisions will amend Canada’s Digital Privacy Act, which came into effect in 2015, and are expected to safeguard Canadians against data breaches.
When determining what constitutes “significant harm,” Piovesan says companies consider the “sensitivity of the personal information involved in the breach, and the probability the personal information has been, is being, or will be, misused.”
The new regulation does cover a broad range of situations, which leaves a lot open to interpretation. If the information leaked could pose bodily harm, humiliation, loss of employment or professional opportunities, financial loss, damage to reputation or relationships, identity theft, negative credit card impact or damage to or loss of property, it must be reported to consumers under the new measures.
But Piovesan points out that the wording in the government document, stating that consumers must be told “as soon as feasible,” does not come with an exact time specified. There will be some flexibility it seems, at least in the beginning, when it comes to classifying harm and within what time frame reports are made.
What to expect come Nov. 1
The new provisions are set to aid consumers. Yogen Appalraju, partner and cybersecurity lead at Ernst & Young, says under the new legislation consumers have the right to privacy as well as the right to access their information, and the right to ask any organization how it is using that information in order to make corrections or even request the cancellation of a process.
“When receiving a notification of a security safeguard breach, a consumer would expect to be informed at least on the type of incident, how it might affect him or her, when the incident happened, what the organization is offering to the consumer and doing in general to remediate the situation, and the specification of a formal communication channel to interact with the organization’s privacy office, if needed,” says Appalraju. “Consumers must be prepared to react to these events and take notifications seriously.”
Monitoring reports of breaches is another way consumers can be proactive in protecting their information, especially in big cases where large volumes of data are compromised, he adds.
Companies are not required to report all breaches, but they are “required to properly document all instances of a data breach and maintain a complete record of the breach for at least two years,” says Piovesan.
Organizations that neglect to follow the guidelines and report a significant breach could face fines of up to $100,000.
Being proactive about privacy
“Our personal information has an enormous value and, as such, we need to be selective on what we will share and with who,” says Appalraju. “Consumers also need to follow leading cybersecurity practice, which includes using strong passwords or, ideally, using double factor authentication method while also avoiding transactions or sharing data when connected to public networks or using public devices, and encrypting sensitive information.”
A survey compiled by CompareCards found that over the last 12 months consumers have been more proactive in protecting their personal information, with 65 per cent of consumers reporting to have looked at their online bank and credit card statements more often, and 50 per cent of respondents said they set up alerts to notify on statement charges.
Appalraju says every piece of personal information can represent a different value depending on the intended purpose. Referencing EY’s Global Information Security Survey, Appalraju says the most valuable information to cybercriminals is “customers’ personal information and passwords, financial information and strategic plans as well as personal information of senior executives and board members.”
If suspicious activity pops up, users need to be made aware in order to avoid huge breakdowns of trust as we’ve seen with the likes of Facebook who is apparently on the hunt for its own cybersecurity firm.
A survey in the U.S. found that less than half of consumers were open to forgiving a brand following a breach, seven per cent refused to forgive companies that allowed “bad actors access to their personal data” and 14 per cent said they “lost all faith in an organization’s ability to protect their data.”