Verizon is the latest company to announce that up to 14 million subscribers’ records were potentially exposed to hackers. The exposed data included customers, names, addresses, cell phones, and account PINs. The hack was so comprehensive that the hackers could have potentially taken over customers’ accounts and hijack their phones (zdnet). The Verizon hack is just one of many high-profile data breaches that have been announced in 2017. Major companies such as Arby’s, Saks Fifth Avenue, Kmart, Blue Cross Blue Shield / Anthem and UNC Health Care are just a hand full of companies that announced this year that their data had been breached (identityforce). Despite these high-profile data breaches a large minority (43%) of hacking attacks with the goal of obtaining business data are on small businesses (Small Business Trends).
Even with the rise in data breaches, in Canada there is currently no enacted federal law requiring companies to disclose that they have been hacked or had a data breach. However, that may change soon as the 2015 Digital Privacy Act, which requires businesses in Canada to report if they had any cyber security breaches as soon as they are aware of it, may come into effect soon. The law has not come into effect yet despite being passed in 2015 in order to give the government time to create related regulations that would outline specific requirements to follow in the case of a data breach (Ottawa citizen).
Once the law comes into effect, probably in late 2017, companies, that have had data breaches will need to:
- Notify customers of the breach and what steps the customer needs to take to protect themselves.
- C ompanies cannot delay the notification of any data breaches of customers and therefore they must work fast to close up the security holes that led to the breach
- Companies will need to keep records of all data breaches.
- Data breach notifications will be reviewed to ensure they were handled correctly and companies could face large penalties if it was found that they failed to act according to the law after a data breach.
The Digital Privacy Act underscores the danger that data breaches pose to businesses and their customers. It is more important than every company in Canada to take proper measures and work with vendors and credit card processors that take data security extremely seriously to help protect their company for costly data breaches so they do not have to worry about the Digital Privacy Act.