The federal government is in the final stages of enacting legislation that will require all businesses in Canada to report any cyber security breach as soon as they become aware of it.
It’s a step meant to close what critics say has been a major gap in this country’s protection of personal and financial data.
The new laws were passed as part of the Digital Privacy Act in 2015, but have not yet come into effect due to the need for “related regulations outlining specific requirements.”
Industry stakeholders had also asked government for a “transition period” allowing them to better prepare their computer systems and internal policies to report hacking attempts and issues pertaining to computer viruses on their networks.
That pause is about to expire, according to Innovation, Science and Economic Development Canada, which wrapped up a series of public consultations in the fall.
A spokesman said a summary of those consultations was posted to the federal department’s website in October. Draft regulations, outlining exactly when and how business must report data breaches, are expected to appear in the Canada Gazette, the official publication of the federal government, in the coming weeks. Those draft regulations will be opened for another round of public consultations before they are forwarded to Parliament for approval.
In much of Europe, and an increasing number of U.S. states, any breaches of personal data or financial information at a private corporation must be immediately reported to authorities.
Outside of Alberta, which enacted its own legislation requiring the reporting of a hack or other breach of data, Canada has not had such strict reporting laws.
Until now, it was up to a company to decide whether to go public if it was hacked, allowing a vast majority of cyber intrusions to go unnoticed.
It’s been an issue the federal Office of the Privacy Commissioner has been warning about for years.
In 2007, apparel and home goods company TJX was forced to admit that its systems had been hacked. The admission followed mounting pressure from financial institutions that had been forced to deal with an increase in fraudulent charges to their customers’ accounts. While TJX announced the news in 2007, the company was later revealed the breach had actually started in 2005 and that it involved more than 100 million credit card numbers, double what it initially stated.
Under the new legislation, companies will be forced to immediately report the system breach, what information was lost and how the attacker gained access. The information would have to be reported to the Office of the Privacy Commissioner of Canada, who will decide whether it needs to be released publicly. At the very least, the information collected by the commissioner’s office could be used to alert other businesses to the hackers’ tactics. It could be forwarded to financial institutions to minimize fraudulent charges or identity theft, for instance. The privacy commissioner’s office could also order the business to notify individuals who may be affected by the breach.
Companies will also need to maintain a record of all breaches involving personal information and provide a copy of those record to the privacy commissioner’s office upon request. Organizations that fail to report data breaches to the privacy commissioner’s office or keep records of prior incursions could face fines of as much as $100,000.
“Think of it like the federal government enforcing cyber hygiene on businesses in Canada,” said David Masson, country manager for Canada at cyber-security firm Darktrace. “What this does is change the way businesses actually do security issues. They are going to have to do it now. They’re going to have to have adequate safeguards in place … and actually use the tools they’ve got and know what’s going on in their networks.”
The requirements from government come as Canadian businesses are reeling from an onslaught of new attacks from hackers. A newly released study from cloud security company Scalar Decisions Inc. found the average number of cyber attacks against small and medium-sized business in Canada has risen 44 per cent since the company began tracking data in 2014. The report surveyed more than 650 information technology workers at small and medium-sized businesses across the country. Those businesses spent a total of $7.2 million in 2016 to recover from data breaches.
Of those affected by ransom ware, an increasingly popular attack by hackers that locks a company’s computers until a ransom has been paid to the attacker, only 21 per cent reported the incident to authorities, according to Scalar.
“Organizations need trained personnel who understand how to react when faced with threats,” said Ryan Wilson, chief technology officer at Scalar in a statement. “The increase in incidents and decreasing confidence we are seeing coincides with the growing sophistication, severity and cost of attacks.”
Darktrace’s Masson agreed, saying that while large companies may have the talent and resources to respond to a attack on their computer networks, small and medium-sized firms may not. However, the new requirements will still mean those small and medium-sized businesses must report a data breach to the Office of the Privacy Commissioner or face a possible fine.
“The big guys know what to do and have the resources and security teams to do it with,” said Masson. “Small and medium enterprises don’t have that.”
Monique Moreau, vice-president of national affairs for the Canadian Federation of Independent Business, said a vast majority of businesses in Canada have no idea that these regulations are coming. She said she would like to see leniency from the federal government, particularly when it comes to small business owners, for first-time offences.
“Government has a role to play here. What we’re always emphasizing is education before enforcement.For a vast majority of business owners, the first time they will hear about this is when this happens to them,” said Moreau. “Do they know (about the reporting requirement)? Probably not. Are they prepared at this point? Probably, also, not.”
The CFIB, which represents 109,000 small and medium-sized businesses across the country, said it will be notifying its membership about the upcoming regulations as more specifics regarding the legislation are posted in the Canada Gazette. Moreau said the organization has 200 country managers who regularly liaise with members about various business issues and that this will become one of the new issues they will be highlighting.