KPMG says companies are paying a heavy price for 'data breaches under the rug'

KPMG says companies are paying a heavy price for 'data breaches under the rug'

According to KPMG's Imran Bashir, media coverage still inspires many Canadian organizations to respond effectively to data breaches, not the country's privacy laws.

Some of the more embarrassing examples of private information in recent years - Bashir cannot point to those stories or companies in particular - until the media caught it.

Bashir, a partner and national leader of public sector cyber security, says that unless both public and private sector businesses look at people's data, a firm conclusion is reached about whether it will end or be in the wrong hands Will go. The organizations that carry the responsibilities are rapidly losing public confidence.

"The level of trust is dramatically different from one company versus another," Bashir said, referring to a study by KPMG. "84 percent of people take their business elsewhere if a company fails to secure their data Will go

Canada's Privacy Commissioner Daniel Therrien has been under severe warnings over the years for lack of this trust. The most recent one came in 2020 when he stated that Canada's privacy laws governing the public and private sectors needed a serious aspect.

other than this:

Canadian privacy official said data protection rules are nothing if they do not apply

“In May 2019, the crisis of confidence prompted the federal government to propose a digital charter, including plans to update PIPEDA. The government has since reiterated its intention to reform both PIPEDA and the Privacy Act, ”Therrien noted in its 2019/2020 annual report. "After more than a year, we have yet to see the specific ways in which our legislative framework will be modernized to meet the challenges of the digital age - and the expectations of Canadians."

Sylvia Kingsmill, KPMG's national partner and privacy, regulatory and risk consulting expert, warns that Canada may not be stable when privacy law is modernized.

"Technology does not keep pace with static law," she told the publication.

Last November, the Canadian government announced changes to existing legislation and wrapped it up under a new Digital Charter Implementation Act (Bill C-11). One of the most notable changes was that the Federal Privacy Commissioner receiving the ability to recommend companies should be fined for not following the updated and strict privacy law.

Some provinces have also become impatient and are moving forward with updating their privacy laws, Kingsmill explains. For example, Quebec introduced Bill-64, which is to bring its privacy laws more in line with general data security regulation.

Bashir also highlighted the CIO Strategy Council's efforts to develop standards for the use of emerging technologies. Those efforts have culminated in new Canadian national standards, such as Canada's national standard for third-party access to data and the ethical design and use of automated decision systems. KPMG is closely involved with the ongoing development of these standards, and Bashir says that he hopes to see these standards reflected in future legislation or used to modify others.

As more organizations take advantage of these standards when they implement technologies in their business, they say a wider safety net is created when it is explained why and how it was implemented. And when there is a data breech - and it will be - these standards can also help the organization to report the breech thanks to a better understanding of who has access to the data and why.

"I think the standards are worthless if they're just sitting on a shelf," he said.