Data Breach Prevention and the Canadian Consumer

In recent years, data breaches have been on the rise in Canadian companies. The risk of security leaks is heightened in the digital environment, exposing consumers to identity theft and other harmful consequences. Many cybersecurity experts are critical of the lack of effective preventive counter-measures in Canada, for businesses and consumers alike.

The online companies most popular with Canadian consumers generally give the public little information about the exact security measures they employ. A few occasionally provide more details, and even include cybersecurity as a marketing ploy to entice consumers to use their services. These companies’ user agreements may stipulate a number of obligations that consumers must respect concerning the security of their accounts. On the other hand, these same contracts may contain clauses designed to absolve the companies of their responsibility with regard to data security.

The survey and focus groups we conducted with Canadian Internet users found that consumers consider security breaches to be a matter for concern. However, these consumers are poorly informed about the cybersecurity practices of companies, are unaware of many of their contractual obligations toward them, yet rely primarily on those same companies to keep their data safe. Furthermore, our study suggests that the need for cybersecurity information is more pronounced among groups that are generally considered the most vulnerable. Finally, we found that consumers’ online behaviour is sometimes reckless, particularly when it comes to managing their login credentials.

Canada’s privacy laws require businesses that store consumers’ digital data to adopt adequate security measures to protect it from breaches and comply with other obligations to further ensure its protection. However, partly because it does not impose major financial penalties for security breaches, Canadian law is not sufficiently prescriptive or dissuasive to promote effective prevention. Certain draft legislation, based in part on European standards, could point the way to some interesting solutions for Canada in this regard.

In conclusion, Option consommateurs recommends strengthening companies’ legal obligations with regard to prevention, substantially increasing the financial penalties that can be imposed on those that violate the law, and ensuring that the organizations responsible for enforcing data protection laws have sufficient funding and powers to enable them to carry out their mission fully. Considering the limited ability of consumers to evaluate online companies’ security measures on their own, Option consommateurs recommends that the public authorities conduct proactive audits of such companies to ensure that consumers who use their services are adequately protected.