Disclosure inconsistent as Canada data breaches multiply

Compromised companies may have good reasons to keep hacks under wraps

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Cana­di­an com­pa­nies are being hit hard by data breach­es, at least accord­ing to analy­sis of major hack­ing capers that have been pub­licly disclosed.

Results of an IBM-spon­sored study released in May revealed data breach dam­ages on aver­age top­ping $4 mil­lion for cas­es report­ed over rough­ly the past year.

The study, con­duct­ed by the Ponemon Insti­tute, ana­lyzed 21 Cana­di­an com­pa­nies with data breach­es dur­ing fis­cal 2015 and found the breach­es cost, on aver­age, $4.4 mil­lion (U.S. dol­lars). The aver­age num­ber of records breached at each com­pa­ny was 20,456.

With such a high cost—including loss of cus­tomer business—it’s not sur­pris­ing that many Cana­di­an com­pa­nies may be reluc­tant to announce a data breach.

Relat­ed sto­ry: Dev­il is in the details for Canada’s data breach dis­clo­sure law

The Toron­to Star news­pa­per report­ed in August that “Cana­di­ans are clue­less about the vast major­i­ty of cor­po­rate data hacks, because com­pa­nies suf­fer greater finan­cial loss­es when they reveal they’ve lost data than when they keep con­sumers in the dark.”

Open­ness is the norm

Sev­er­al pri­va­cy experts inter­viewed by Third Cer­tain­ty, how­ev­er, say Cana­di­an com­pa­nies should be giv­en more cred­it for report­ing data breaches.

Lyndsay Wasser, McMillan LLP privacy group co-chair
Lyn­d­say Wass­er, McMil­lan LLP pri­va­cy group co-chair

It is dif­fi­cult to hide sig­nif­i­cant data breach­es, and I think that orga­ni­za­tions real­ize that it is bet­ter to be proac­tive and trans­par­ent,” says Lyn­d­say Wass­er, co-chair of busi­ness law firm McMil­lan LLP’s pri­va­cy group. “By being open and account­able, orga­ni­za­tions can reduce the neg­a­tive impact on cus­tomer trust and, there­fore, reduce loss of business.”

Wass­er says past data breach inci­dents have had “only a min­i­mal or tem­po­rary impact on stock prices.” In a recent Har­vard Busi­ness Review arti­cle, indus­try ana­lysts infer that share­hold­ers “are numb” to news of data breach­es and look at them as part of the cost of doing busi­ness, she says.

Kris Klein, the Cana­da-based man­ag­ing direc­tor of the Inter­na­tion­al Asso­ci­a­tion of Pri­va­cy Pro­fes­sion­als, says he doesn’t see many com­pa­nies keep­ing con­sumers in the dark about data breach­es. The non­prof­it asso­ci­a­tion of pri­va­cy pro­fes­sion­als has more than 20,000 mem­bers in 83 countries.

Klein, who also is a part­ner in the law firm nNo­va­tion, admits, though, that orga­ni­za­tions that approach him are usu­al­ly try­ing to obtain advice about what to do when a breach occurs—“and they want to do the right thing.

Fears put to rest

Kris Klein, International Association of Privacy Professionals managing director and nNovation partner
Kris Klein, Inter­na­tion­al Asso­ci­a­tion of Pri­va­cy Pro­fes­sion­als man­ag­ing direc­tor and nNo­va­tion partner

Many orga­ni­za­tions that have a data breach are afraid of the harm to their rep­u­ta­tions,” Klein says, “but, if the noti­fi­ca­tion process is han­dled well, rep­u­ta­tion­al dam­age can be min­i­mized. In Cana­da, the Office of the Pri­va­cy Com­mis­sion­er works with report­ing orga­ni­za­tions to mit­i­gate dam­age, and, once orga­ni­za­tions real­ize that it isn’t real­ly an adver­sar­i­al sys­tem, things go smoothly.”

Wass­er says there are oth­er rea­sons why a com­pa­ny may not reveal a data breach besides pro­tect­ing the bot­tom line.

The com­pa­ny may not be aware of the breach or may have con­tained the breach and deter­mined it did not pose risks to peo­ple whose infor­ma­tion was affect­ed, she says.

A com­pa­ny also might delay reveal­ing a breach if a rev­e­la­tion could com­pro­mise an inves­ti­ga­tion or point out a weak­ness that has not yet been reme­died, Wass­er says.

If there is no legal oblig­a­tion to report a data breach, con­cern about loss of busi­ness could be a fac­tor in a company’s deci­sion not to report it, the pri­va­cy expert says.

Class-action law­suits have been filed in recent years in response to data breaches.

The prospect of being sub­ject to one or more such law­suits could be a deter­rent to vol­un­tary dis­clo­sure of breach­es,” Wass­er says. “How­ev­er, in a num­ber of juris­dic­tions in Cana­da, the USA and oth­er coun­tries, there are manda­to­ry statu­to­ry breach report­ing oblig­a­tions. In such juris­dic­tions, com­pa­nies may have to report breach­es although they may have a finan­cial impact on the com­pa­ny or result in litigation.”

More sto­ries relat­ed to data breaches:
Data breach class-action law­suits change cyber insur­ance landscape
Ver­i­zon, Ponemon dif­fer on best way to mea­sure data breach costs
Lack of vig­i­lance on unclaimed funds can lead to data breaches

Posted in Data Breach, Featured Story