It's All About Transparency
by Jonathon Penney
Lawyer; Public policy fellow at Citizen Lab, Munk School of Global Affairs.
- First Posted: Jul 28 2011 08:04 AM
Without proper laws governing public disclosure of data security hacks, Canadians remain at risk.
Another day, another hack. Apple, Sony, Citigroup, and Lockheed Martin are just some of the big-name companies afflicted by recent cyber-security breaches. Canada has not been spared. Beyond the attacks on the federal Treasury and Finance Departments, Sony, Husky Energy, and Honda have all had Canadian branches or units compromised in recent hacks. Even major Canadian law firms have been victimized.
Expectedly, privacy concerns are being raised about the massive amounts of personal and financial information that these, and other, companies hold, and about the data safeguards – or lack thereof – rendering that data vulnerable to theft and exploitation.
Despite these real public concerns, a troubling trend is emerging – a tendency for companies to sit on information about hacks and data breaches, sometimes for weeks, before going public, and to, even then, downplay the severity and scope of the breach.
Sony was the victim of a massive data breach in early April, and, later that month, its PlayStation network was hacked a second time. However, the second time around, Sony delayed disclosing the fact that it had been hacked, and even misrepresented the timeline for when the company had found out about the second hack. Similarly, Citigroup sat on a data security breach for almost a month before disclosing information about it, and still understated the seriousness of the attack: At first, Citigroup said data was stolen from 200,000 bank accounts. Then it said data was stolen from 360,000 accounts. Tomorrow, who knows?
Looking for more info on the Sony PlayStation hack? Click here.
Lack of timely and frank public disclosure is a serious problem. First, it puts consumers and the general public at continuing risk. Without warning, customers continue to use potentially compromised sites and networks, making misappropriation of their personal and financial data even more likely. Ignorance robs us of the power to control our personal information, and makes informed choice impossible.
And, without the public scrutiny that disclosure attracts, there is little incentive for companies to take network security seriously, or to take the necessary, often costly, steps to prevent later attacks. According to a recent study from the Ponemon Institute, 79 per cent of internet cloud-computing companies dedicate less than 10 per cent of their resources to cyber-security.
What should we do about this in Canada? A few ideas have been floated. Some have pushed for more American-style class-action lawsuits based on such privacy breaches. In fact, Honda Canada was recently served a $200 million class-action lawsuit arising from its own data breach. Some, like Canada's Privacy Commissioner Jennifer Stoddart, have suggested imposing large fines on companies for cyber-security and data breaches.
Comments