It is no secret that Canadian businesses have struggled to bridge the gap between protecting both personal and financial data within their organizations. As a component of the Digital Privacy Act that was passed in 2015, the Canadian government is now in the final stages of enforcing legislation that will require all businesses in Canada to report any cyber security breach immediately.
The new law will require businesses to report system breaches including what information was compromised as well as how access was gained. This particular information must be reported to the office of the Privacy Commissioner of Canada, who will then decide whether to inform the public. The total collection of information will be an effective way for the government to alert other businesses, as well as analyze trends for the purpose of future prevention. Organizations that fail to maintain records or report data breaches will be subject to fines up to $100,000. Procedures outlining when and how a business should report instances of data breaches will appear in the official publication of the federal government, titled the Canada Gazette, in the very near future.
Reporting of data breaches is nothing new. It has become the law in much of Europe, as well as a growing number of U.S. states. The importance of protection and reporting is emphasized in a recent study put forth by cloud security company, Scalar Decisions Inc. and found within a recent Ottawa Citizen article. According to the 2017 study, the average number of cyber attacks in Canada has risen 44 per cent among small and medium sized businesses since 2014. If that number seems staggering, consider these same businesses paid $7.2 million in 2016 to recover from data breaches.
Regulations on the new law must still pass through another round of public consultations prior to moving into the Canadian Parliament for approval. Therefore, it may be a number of months before this law becomes official, although full enforcement is expected fully by the end of 2017. David Masson, country manager for Canada at cybersecurity firm Darktrace, claims that, "what this does is change the way businesses actually do security issues. They are going to have to have adequate safeguards in place." Though implementation and enforcement of this law may still be a ways away, when it does become a reality, it could be beneficial to both businesses, and the public alike.