Disclosure inconsistent as Canada data breaches multiply

Compromised companies may have good reasons to keep hacks under wraps

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Canadian companies are being hit hard by data breaches, at least according to analysis of major hacking capers that have been publicly disclosed.

Results of an IBM-sponsored study released in May revealed data breach damages on average topping $4 million for cases reported over roughly the past year.

The study, conducted by the Ponemon Institute, analyzed 21 Canadian companies with data breaches during fiscal 2015 and found the breaches cost, on average, $4.4 million (U.S. dollars). The average number of records breached at each company was 20,456.

With such a high cost—including loss of customer business—it’s not surprising that many Canadian companies may be reluctant to announce a data breach.

Related story: Devil is in the details for Canada’s data breach disclosure law

The Toronto Star newspaper reported in August that “Canadians are clueless about the vast majority of corporate data hacks, because companies suffer greater financial losses when they reveal they’ve lost data than when they keep consumers in the dark.”

Openness is the norm

Several privacy experts interviewed by Third Certainty, however, say Canadian companies should be given more credit for reporting data breaches.

Lyndsay Wasser, McMillan LLP privacy group co-chair
Lyndsay Wasser, McMillan LLP privacy group co-chair

“It is difficult to hide significant data breaches, and I think that organizations realize that it is better to be proactive and transparent,” says Lyndsay Wasser, co-chair of business law firm McMillan LLP’s privacy group. “By being open and accountable, organizations can reduce the negative impact on customer trust and, therefore, reduce loss of business.”

Wasser says past data breach incidents have had “only a minimal or temporary impact on stock prices.” In a recent Harvard Business Review article, industry analysts infer that shareholders “are numb” to news of data breaches and look at them as part of the cost of doing business, she says.

Kris Klein, the Canada-based managing director of the International Association of Privacy Professionals, says he doesn’t see many companies keeping consumers in the dark about data breaches. The nonprofit association of privacy professionals has more than 20,000 members in 83 countries.

Klein, who also is a partner in the law firm nNovation, admits, though, that organizations that approach him are usually trying to obtain advice about what to do when a breach occurs—“and they want to do the right thing.

Fears put to rest

Kris Klein, International Association of Privacy Professionals managing director and nNovation partner
Kris Klein, International Association of Privacy Professionals managing director and nNovation partner

“Many organizations that have a data breach are afraid of the harm to their reputations,” Klein says, “but, if the notification process is handled well, reputational damage can be minimized. In Canada, the Office of the Privacy Commissioner works with reporting organizations to mitigate damage, and, once organizations realize that it isn’t really an adversarial system, things go smoothly.”

Wasser says there are other reasons why a company may not reveal a data breach besides protecting the bottom line.

The company may not be aware of the breach or may have contained the breach and determined it did not pose risks to people whose information was affected, she says.

A company also might delay revealing a breach if a revelation could compromise an investigation or point out a weakness that has not yet been remedied, Wasser says.

If there is no legal obligation to report a data breach, concern about loss of business could be a factor in a company’s decision not to report it, the privacy expert says.

Class-action lawsuits have been filed in recent years in response to data breaches.

“The prospect of being subject to one or more such lawsuits could be a deterrent to voluntary disclosure of breaches,” Wasser says. “However, in a number of jurisdictions in Canada, the USA and other countries, there are mandatory statutory breach reporting obligations. In such jurisdictions, companies may have to report breaches although they may have a financial impact on the company or result in litigation.”

More stories related to data breaches:
Data breach class-action lawsuits change cyber insurance landscape
Verizon, Ponemon differ on best way to measure data breach costs
Lack of vigilance on unclaimed funds can lead to data breaches