Ottawa plans to fine companies that fail to report data breaches

Canadian companies that try to hide data breaches could soon face fines under new regulations being proposed by the federal government.

In most provinces, it is up to a company to decide whether to tell Canadians if their computer systems have been hacked or if personal data ranging from their names to their social insurance numbers, addresses or credit card information has fallen into the wrong hands.

Under the planned changes, however, it would be mandatory for companies to report to authorities and notify individuals if their data has been breached.

"The proposed regulations are expected to contribute positively to the privacy and security of individuals," government officials wrote in a notice of the proposed changes.

"Mandatory breach reporting allows individuals who are affected by a breach to take immediate action to protect themselves against further compromise that may lead to fraud, identity theft, humiliation, loss of employment or other forms of significant harm."

The government said studies have found that many people affected by a data breach become victims of identity theft or fraud.

The regulations accompany the Digital Privacy Act adopted in June 2015. While the government suggested earlier this year that it planned to make data breach reporting mandatory, it has now given notice of the regulations necessary to make that happen.

Currently, Alberta is the only province where companies are required by law to report data breaches.

Under the proposed rules, companies that have a data breach would have to do a risk assessment to determine if the breach poses "a real risk of significant harm." If so, they will be obliged to notify the individuals affected and report the breach to the Privacy Commissioner of Canada's Office.

Companies would also have to notify "any other organization that may be able to mitigate harm to affected individuals" and maintain a record of any data breach and provide it to the Privacy Commissioner's office on request.

Data breaches on the rise

Some data breaches result from companies not doing enough to prevent them, the government contends.

"Experts in data security believe that data breaches are on the rise because organizations are not taking appropriate measures to protect the data they hold," officials wrote, adding that it is often individuals, not companies, that bear the cost of a data breach.

A recent report by Risk Based Security Inc. found that Canada had the third largest number of data breaches in the first six months of 2017, behind the United States (1,357) and the United Kingdom (104). The 59 incidents across Canada exposed an estimated 2.1 million records.

A June 2016 report by the Ponemon Institute LLC, sponsored by IBM, looked at data breaches in 24 Canadian companies and found the cost of breaches was on the rise.

It's difficult to determine, however, how many data breaches have occurred in Canada in recent years.

In his most recent report, Privacy Commissioner Daniel Therrien said there were 115 private sector data breaches between Jan. 1, 2015, and March 31, 2016, and another 298 breaches involving government departments subject to the Privacy Act between April 1, 2015, and March 31, 2016.

But Therrien's office acknowledges it doesn't know for sure how many breaches are taking place.

"Given that breach reporting is not currently mandatory, we don't have a full picture of the number of breaches occurring, although it's clear that we aren't notified of all of them," said Tobi Cohen, senior communications adviser.

Cohen said the Privacy Commissioner's Office supports mandatory reporting.

"During the last few years we have seen a number of high-profile data breaches, both in Canada and abroad, that compromised the personal information of Canadians," said Cohen. "Mandatory breach reporting and notification will create an incentive for organizations to take information security more seriously and bring enhanced transparency and accountability to the way private sector organizations manage personal information."

Cohen said mandatory reporting would provide individuals with information to help them reduce the risks resulting from unauthorized access to their personal information.

Risks for business

Wendy Wagner, a partner at Gowlings WLG and leader of its Privacy and Data Protection Group, said members of the public are becoming more sophisticated in how they share their personal information and more aware of data breaches.

Wagner said most companies are experiencing "data security incidents on a very regular basis," but not all of them result in personal information being compromised.

She said most organizations voluntarily notify individuals affected by a data breach.

"I think there is an awareness that there is a really big public relations issue associated with data breaches and that oftentimes if something comes out after the fact, you will be in a worse position as an organization if you didn't let people know."

Wagner said under the proposed new rules, fines could range from up to $10,000 for a summary offence to up to $100,000 for an indictable offence.

Dan Kelly, president of the Canadian Federation of Independent Business, said it is reasonable for government to require companies to disclose data breaches that affect individuals.

"What would worry us, though, is how much are small businesses expected to do, how far are they expected to go and what are the consequences of imperfect compliance with the rules," said Kelly, pointing out that small businesses already have to comply with a lot of rules.

Those who want to tell the government what they think about the proposed regulations have a month to submit their opinions to Innovation, Science and Economic Development Canada.

Elizabeth Thompson can be reached at elizabeth.thompson@cbc.ca