The six million Canadians who had their personal information compromised in the Capital One data hack might get some sort of compensation eventually, but they shouldn’t hold their breath, according to industry experts.
Unlike in the United States and Europe, where governments have stepped up enforcement and moved to impose massive fines on companies who mishandle personal data, Canada’s laws just aren’t set up that way.
In Canada, the responsibility mostly falls to private citizens seeking redress through civil lawsuits, according to Aaron Shull, managing director and general counsel for the Centre for International Governance Innovation, a Waterloo-based think-tank focused on global innovation policy.
“There’s too much onus resting on the individual,” Shull said. “The status quo of the way we do data breach enforcement in this country is not sustainable.”
Earlier this week, Capital One announced that a hacker had breached their cloud data systems and stolen personal information tied to around 100 million American customers, and six million Canadian customers.
Of the Canadian customers, roughly one million social insurance numbers were stolen.
The FBI has arrested Paige A. Thompson, who allegedly carried out the breach.
In Canada, both the Office of the Superintendent of Financial Institutions and the Office of the Privacy Commissioner (OPC) have indicated that they’re looking at the incident.
But industry experts say that Canada’s privacy enforcement is mostly toothless, and if the Capital One breach is anything like the last two major privacy breaches, it’s unlikely that there will be serious penalties here.
Earlier this month, credit reporting agency Equifax reached a settlement with the U.S. Federal Trade Commission that includes up to US$700 million in penalties, including payments of $125 directly to customers who were affected.
In Canada, the OPC investigated and made recommendations. Equifax accepted most of what the OPC put forward but refused on one of the recommendations — to offer Canadians a “credit freeze” product to prevent scammers from fraudulently checking victims’ credit scores. While the company offered four years of credit monitoring for Canadians affected by the breach, the company didn’t have to pay a fine.
Facebook, too, has escaped relatively unscathed in Canada.
While the social media giant was hit with a US$5 billion penalty as part of a settlement with the FTC for various privacy missteps, it disputed the validity the OPC’s finding that it broke Canadian privacy law in relation to the Cambridge Analytica scandal, and refused to accept the commissioner’s recommendations.
"It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions." — Privacy Commissioner of Canada Daniel Therrien
“We have made a number of recommendations to address these problems. Facebook has declined to implement them. This situation highlights serious weaknesses with our current privacy protection framework,” Commissioner Daniel Therrien said at the time.
“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions.”
Ira Goldstein, chief operating officer with cybersecurity firm Herjavec Group, said that some forms of compliance certification are important to companies, but most businesses aren’t really worried about PIPEDA, the main privacy legislation in Canada.
“I can tell you that the operators of the companies in Canada probably aren’t sitting around saying, ‘I hope we don’t get that $100,000 fine from PIPEDA,’” Goldstein said.
“They don’t want to be in the news, and they don’t want negative brand impact, but is that really a deterrent, or is that really an encouragement for them to spend more on security? I don’t think it is.”
A lack of deterrence is a major problem in Canada, according to CIGI’s Shull, who says he had a Capital One card and thus suspects he was affected by the breach.
He said he doesn’t expect Capital One to face any serious consequences in Canada until a class-action lawsuit makes its way through the courts.
“Maybe if I’m lucky I’ll get credit monitoring and identity theft insurance a few months from now, potentially. I’ll have to go through all that stuff, I’ll have to incur all those expenses, and none of which will be compensated until, let’s say five years down the road, once we’re through the civil case that will come as a consequence of a class action,” he said.
“So I will not see any real money to compensate me for my actual losses for half a decade — if I’m lucky. Does that sound like a reasonable way to structure a system?”
Copyright Postmedia Network Inc., 2019
