For 327 million people, Marriott says the guests' exposed information includes their names, phone numbers, email addresses, passport numbers, date of birth and arrival and departure information. For millions others, their credit card numbers and card expiration dates were potentially compromised Read More
- Published: 02 Nov 2018
New privacy rules designed to better safeguard the personal data of Canadians and let them know when it has been breached take effect November 1, 2018, but even security experts say they are far from perfect.
The legislation, known as the Personal Information Protection and Electronic Documents Act (or PIPEDA) do a lot of things, but most importantly from a consumer's perspective, it requires Canadian companies to alert their customers any time their personal information may have fallen into the wrong hands.
Much of the law is aimed at preventing breaches in the first place, but as of now, companies big and small are required to notify the office of the Privacy Commission of Canada any time there's "a real risk of significant harm to an individual" from a security breach, even if the exact terminology of what constitutes a breach will still be open to interpretation. Among the new rules is a requirement that companies must keep accurate data about cybersecurity safeguards for two years following, in case breaches are revealed down the line. The law also calls for "appropriate" digital safeguards at all parts of the business, including dealings with third party contractors. The rules call for stiff penalties, too — up to $100,000 per violation — a sum that should be enough to frighten many businesses into updating their IT infrastructure. But many will have problems complying with the new rules, partly because of a lack of awareness.
"The vast majority of business owners don't know that this is happening," says Monique Moreau, a vice-president at the Canadian Federation of Independent Business. "Among all the changes and government regulations," she says, "data breach reporting requirements are not going to be top of the list." She gives the example of a theoretical local, small business such as a bicycle shop, that likely emails its existing customers a few times a year, to alert them of new sales. Previously, that store likely didn't have to think very much about what email service they were using, or where the credit card data was being stored from any sales they conducted online. "But now these guys are going to take the fall because the email service they were using got hacked," she says.
See original CBC News article here