Privacy Commissioner gives brokers more ammunition to sell cyber policies

Canada’s privacy commissioner is looking to add some bite to the country’s federal privacy laws.

And if you need another reason to keep cyber insurance top of mind for your clients, look no further than a recent survey from the Office of the Privacy Commissioner, which found that half of Canadian executives have little or no concern about cyber breaches at their organizations.

Daniel Therrien, the federal privacy commissioner, appeared before the Senate Open Caucus on May 30 to request more power for his office to enforce Canada’s privacy laws.

One change would give the commissioner the power to “enter an organization and independently confirm that the principles in federal privacy laws are being respected – even if a violation of law is not suspected,” the Office of the Privacy Commissioner of Canada (OPC) said in a press release late last week.

“These inspection powers exist in other regulated industries, why isn’t our personal information worthy of the same protection?” Therrien elaborated in his remarks before the Senate Open Caucus. “The time has also come to provide my office with the power to make orders and issue fines, helping us to more effectively deal with those who refuse to comply with the law.”

Late last week, OPC released the results of survey that found that despite numerous high-profile data breaches in recent years, half of Canadian executives say they have “low or no concerns” about a potential breach involving their own business. In fact, concern over data breaches has actually decreased among Canadian businesses, with the proportion of executives not concerned rising to 50% in the most recent survey from 44% in 2015.

“The low level of concern amongst some businesses is surprising given the significant number of major breaches we see occurring,” Therrien said in a press release. “The risk of a breach is an issue every business that collects and uses personal information must be alert to. Breaches can have negative consequences for affected individuals, but also for the organization, including, for example, loss of consumer trust.”

According to the OPC-commissioned survey of 1,014 Canadian businesses, only four in 10 respondents have policies or procedures in place in the event of a breach involving customer personal information, a number that remains unchanged since 2015.

Small businesses in Canada had lower levels of awareness of their privacy responsibilities than larger organizations, with 43% of small businesses indicating awareness versus 64% of large organizations (100+ employees).

Regarding federal privacy laws, two-thirds (66%) said they have taken steps to comply, 29% have not taken steps and 5% don’t know. The likelihood of an organization having taken steps to comply generally increased with business size. Fifty-eight per cent of businesses with fewer than five employees took steps to comply, whereas the number jumped to 91% for businesses with 100 or more employees.

A Kaspersky Lab study released late last month found that North America was the most expensive location for small and medium-sized business (SMB) to suffer a data breach, with SMBs in Canada and the U.S. also having the highest recovery cost (US$1.6 million).