Canadian companies have no incentive to report cyber attacks, like that on Ashley Madison:
Canada’s Digital Privacy Act, passed by Parliament in June, will require companies to report breaches once regulations are prepared. But experts say it is essentially toothless because it contains few financial penalties.
The Act will introduce fines up to $100,000 for deliberately not reporting a breach.
“There’s the obligation to report, which is, of course, positive,” said Christopher Parsons, managing director of the telecom transparency project at the Munk School of Global Affairs’ Citizen Lab.
“But without any sort of punitive consequences you run into the question of how useful is the notification itself.”
There is little data on how secure corporate Canada truly is partly because of a lack of breach notification laws, Parsons said.
Without a financial imperative to beef up security, companies are unlikely to shell out the millions of dollars required to identify and prevent them, Parsons said.
“For most companies, security is a drag,” Parsons said, adding that executives tend to reject investment in cybersecurity, where concerns tend to lead to IT professionals saying “no” to a lot of ideas, while also eating up company time, money and resources.
“All those no’s either inhibit fast fluid business, or they increase the cost and the friction of anything a company wants to do.”
Meanwhile, hackers are getting more sophisticated, but they don’t even need to because the defence systems are so weak, Parsons said.
“If you’re a hacker, you have to succeed once; if you’re a defender, you have to succeed every single time.”