In recent years, data breaches in Canadian companies have been on the increase. The digital environment increases the risk of security breaches, exposing consumers to identity theft and other harm. Many experts deplore the lack of cyber-security prevention in Canada, on the part of both businesses and consumers.
The online companies most popular with Canadian consumers generally give the public little information about the exact security measures they employ. Occasionally, a few provide more details, and even use cybersecurity as a marketing argument to entice consumers to use their services. Companies' user contracts may stipulate a number of obligations that consumers must respect with regard to the security of their account. In return, these same contracts may contain clauses designed to exonerate the company from its responsibility for data security.
A survey and focus groups of Canadian Internet users have revealed that consumers are concerned about security breaches. However, consumers know little about companies' cybersecurity practices, are unaware of many of their contractual obligations to these companies, and essentially rely on them to ensure the security of their data.
In addition, our study suggests that the need for information on cybersecurity is more pronounced among groups generally considered to be more vulnerable. Finally, our study found that consumers sometimes behave recklessly online, particularly when it comes to managing their credentials.
Under Canadian privacy laws, companies that store consumers' digital data must adopt adequate security measures to protect them from security breaches, and must comply with other obligations that also contribute to their protection. However, the absence of serious financial penalties for security breaches means that Canadian law is insufficiently prescriptive and dissuasive to encourage preventive implementation of the law. In this respect, promising draft legislation, inspired in part by European standards, could provide solutions of interest to Canada.
In conclusion, Option consommateurs recommends, among other things, strengthening companies' legal prevention obligations, substantially increasing the financial penalties that can be imposed on companies in breach of the law, and ensuring that the bodies responsible for enforcing information protection laws have adequate funding and powers to fully carry out their mission.
Considering the limited possibility for consumers to assess a company's security measures for themselves, Option consommateurs recommends that public authorities conduct proactive audits of online companies, to ensure that consumers using their services are adequately protected.
