Nobody likes to talk about being hacked.
First of all, this is embarrassing.
For the company, this is a quick way to win the trust of customers.
That's why you rarely hear data breaches or cyber attacks from big companies unless the company is forced to admit that something has happened.
But over the next few months, whether they like it or not, more Canadian companies will have to start talking --
In particular, personal information theft is involved.
The upcoming changes in Canadian privacy laws and recent guidance from Canadian securities regulatory agencies mean that Canadian companies must not only disclose more cyber-attack information than in the past, but be more proactive in disclosing specific risks that may lead to future attacks.
For Canadians, this should mean more understanding of what companies do to protect your data.
If your data is lost or stolen, the company will not be able to tell you otherwise it may be fined.
There are no large-scale attacks under the carpet.
Should the federal government also report violations?
Kevin Fowler, KPMG's national leader in network response in Canada, said he expected the number of violations reported this year to "soar ".
With more known violations, there will be more victims of anger, Fowler said, meaning that the number of companies prosecuted may increase.
It is hoped that greater transparency in the long run will help better protect and reduce violations.
"There should be a lot of information coming into the Internet from these organizations this year," Fowler said ".
Privacy law has some support that "there are a lot of violations that have never been reported because there is no obligation to report them," said Imran Ahmed, partner at Miller Thomson law firm, people who specialize in network security
But that will begin to change later this year.
The short history is that in June 2015, the government of Canada passed the Digital Privacy Act, which, among other things, became part of Canada's privacy laws by notifying and reporting of data breaches.
According to a spokesman for innovation, science and economic development, the government is expected to publish draft regulations "in early 2017", but it cannot be said when the final regulations will be published or when they will take effect.
However, Ahmed and others in the industry say they expect the regulation to come into effect in the fourth quarter of this year.
Since then, the organization will have to record all violations, and any violation that constitutes a "real risk or significant injury" must be notified to the user.
"Normally, this means any information that may be used to commit fraud or initiate a social engineering attack --
For example, the name and address on the online shopping website, credit card data, security issues and passwords, or past orders.
But it may also include information that could humiliate or damage the reputation of others.
If violations are not recorded, or users are notified when needed, Ahmed said, they may result in a fine of up to $100,000, "which is a step in the right direction ", when it comes to giving some advice to the regulations.
Securities manager of Canada (CSA)
On the other hand, it is doing its part to ensure that publicly traded Canadian companies are more transparent about their cybersecurity practices before being hacked.
Not just after.
Last month, CSA looked at how 240 listed companies in Canada talked about cyber security in their financial documents --
The potential impact of cyber attacks, information at risk, personnel handling company cyber security, and any disclosure of previous breaches or attacks.
CSA found that the company failed to address the cyber security risk when disclosing information.
In general, CSA finds that files tend to use a generic boilerplate language
Although different types of companies face different types of cyber attacks or threats and hold different types of data, the level of risk is different.
Ahmad said that the biggest risk for banks is phishing (
Fraudulent emails claiming to be from legitimate sources)
And foran online store, which is a distributed denial of service (DDoS)attack —
These are two different risks.
"Closing the manufacturer's website may not have the same impact on their operations as DDoS attacks on e-commerce
Business, "said Ahmed.
In its guidance note, the CSA stated that it expects the issuer to "provide as detailed and specific risk disclosure as possible" and will monitor the company's compliance.
"I think the next step might be, right? compliance? " Ahmad said.
"We haven't arrived yet, but we are moving in that direction.