KPMG says companies are paying a heavy price for 'data breaches under the rug

KPMG says companies are paying a heavy price for 'data breaches under the rug'

According to KPMG's Imran Bashir, media coverage still prompts many Canadian organizations to respond effectively to data breaches, not the country's privacy laws.

Some of the more embarrassing examples of private information in recent years - Bashir cannot point to those stories or companies in particular - until the media caught it.

Bashir, partner and national director of public sector cybersecurity, says that unless a firm conclusion is reached about how people from both the public and private sector businesses view data, it will end or in the wrong hands Will go. The organizations that carry the responsibilities are rapidly losing public confidence.

"The level of trust is dramatically different from one company versus another," Bashir said, referring to a study by KPMG. "84 percent of people take their business elsewhere if a company fails to secure their data Will go

Canada's Privacy Commissioner Daniel Therrien has been under severe warning for many years due to this lack of trust. The most recent one came in 2020 when he stated that Canada's privacy laws governing the public and private sectors needed a serious aspect.

other than this:

Canadian privacy officials say data protection rules are nothing if they do not apply

“In May 2019, the crisis of confidence prompted the federal government to propose a digital charter, including plans to update PIPEDA. The government has since reiterated its intention to reform both PIPEDA and the Privacy Act, ”Therrien noted in its 2019/2020 annual report. "After more than a year, we have yet to see the specific ways in which our legislative framework will be modernized to live up to the challenges of the digital age - and on the expectations of Canadians."

Sylvia Kingsmill, KPMG's national partner and privacy, regulatory and risk consulting expert, warns that Canada cannot be stable when privacy law is modernized.

"Technology does not keep pace with static law," she told the publication.

Last November, the Canadian government announced changes to existing legislation and wrapped it up under a new Digital Charter Implementation Act (Bill C-11). One of the most notable changes was that the Federal Privacy Commissioner receiving the ability to recommend companies should be fined for not following the updated and strict privacy law.

Some provinces have also become impatient and are moving forward with updating their privacy laws, Kingsmill explains. For example, Quebec introduced Bill-64 to bring its privacy laws more in line with the General Data Protection Regulation.

Bashir also highlighted the CIO Strategy Council's efforts to develop standards for the use of emerging technologies. Those efforts have culminated in new Canadian national standards, such as Canada's national standard for ethical design and use of third-party access to data and automated decision systems. KPMG is closely involved with the ongoing development of these standards, and Bashir says that he hopes to see these standards reflected in future legislation or used to modify others.

As more organizations take advantage of these standards when they implement technologies in their business, they say a wider safety net is created when it is explained why and how it was implemented. And when there is a data breech - and it will be - these standards can also help the organization to report breeches that have access to the data and why, thanks to a better understanding of why.

"I think the standards are worthless if they're just sitting on a shelf," he said.

Cyber ​​attacks are more frequent in private sector reporting

The Office of the Privacy Commissioner of Canada (OPC) states that under the Canadian Privacy Act - which outlines how the federal government handles personal information - it accepted 341 violations reported last year, up from 155 years ago. Was an increase of. But numbers don't have to fool you.

"While the number of institutions reporting violations to our office increased from 29 this year to 34, this number represents less than 14 percent of the nearly 250 organizations that are subject to the Privacy Act," Therrien said in its annual Explained in the report.

In 2019-2020, the OPC says it received 678 breech reports under the Personal Information Protection and Electronics Documents Act (PIPEDA), affecting an estimated 30 million Canadian accounts. This is more than double the number of reports received during the previous year and six times the amount received in the year before breech reporting for PIPEDA in 2018.

The breech reports received from the three industry sectors accounted for 50 percent of all breech reports received in 2019-2020, 19 percent from the financial sector, 17 percent from Telcos, and 14 percent from the sales and retail sectors.

But breech representatives from the private and public sectors

What is the most surprising thing about Dhie

orts is the discrepancy between cyberbaitaxes. In his annual report, Therrien could not explain why some privacy breach reports of federal institutions mention cyber attacks. For 2019–20, the public sector indicated that less than two percent of all reported violations involved cyber security incidents. Under PIPEDA, this number rises to 42 percent, and almost all breech reports mention malware, ransomware, social engineering, and other intrusion methods.

"It is unclear why there is such a significant discrepancy between the numbers," Therrien wrote.

Bashir and Kingsmill have no answers either.

What is considered "sensitive material" during a breach and whether there can be reasonable expectation of injury or harm - two criteria that public sector organizations notify affected individuals and the Office of the Privacy Commissioner are likely to meet Is - the factors of this puzzle, indicating Kingsmill and Bashir.

"In response to an email the two said," The limit is too high. "The information must be sensitive, either expected to cause serious injury or harm or involving a large number of people, none of whom have been decisively defined, giving a lot of discretion to the reporting party There is scope. "

This did not help him, he said, adding that the Privacy Act did not legally require mandatory disclosure of violations.

Clarity: In the previous version of this story, Imran Bashir was quoted as saying that sometimes in the last one year there were "flowing under the carpet". The exact quote "other people who try to hide it or sweep it under the rug ..." has been met with a different level of public trust than those who don't do it. IT World Canada apologizes for the error.