That's an excellent question.
We're finding that the most meaningful research we're doing is at the enterprise level. It accounts for the vast majority of personal information breaches, and for the breaches that are in the tens or even hundreds of millions of victims. So in looking at how large organizations are handling data breaches, we're finding it entirely inadequate because there is a huge machine that kicks in. As soon as there's a breach, there's a huge communication security component that kicks in, and it has everything to do with reputation management. For reputation management protection, they immediately kick in. Obviously, they'll work with law enforcement, but they don't do it quickly enough.
For example, in Canadian privacy law there's always that written expectation that you need to be right on top of things and start sharing and documenting information right away. We're finding that enterprises are sometimes taking a month or two to report breaches. By that time, of course, the victims have already seen their information copied, re-copied, resold, and repackaged many times, and that's a big issue.
But the bigger issue that we're seeing is in the inadequacy of that response, which has to do with simply taking part in this reactive way of engaging with the credit bureaus and saying, “Okay, how much is this going to cost us on a per record basis? We lost 10 million records. What will it cost us?” They engage with TransUnion or Equifax, and they offer this service free for one year. This free service for one year simply gives people access to a dashboard and sends an e-mail when a breach is detected by the system. I've never met anyone who received a meaningful message regarding their identity data. I have met a few people who have received meaningful messages when it comes to their credit rating changes, but there's very little assistance as to what happens next. So it tends to be a measure that is entirely inadequate as far as we're concerned.
As far as what would be adequate is concerned, first, we need to have some legislated expectation as to the number of days that organizations need to allow before they contact law enforcement. Our preference is that they already have a relationship at least with privacy commissioners, and they have the right practices in place and the right privacy impact assessments conducted so that these can right away be examined and analyzed by law enforcement and by commissioners as soon as a breach is detected.
The lack of breach notification in Canada is a major drawback, at least on an international scale, let's say, compared with the U.S., where breach notification is legislated. Here in Canada we don't have that, except in certain sectors, such as health care in western Canada, but it's not pervasive. So it's poorly understood and it has been very much pushed back, simply because as soon as you say “breach notification requirement”, it automatically means that every organization needs to invest actual money in detective controls, in the ability to detect breaches. Without the ability to detect breaches, they don't have to be necessarily responsible for these things because they can claim ignorance. But once they detect them, they have to do something about them.
My big thing is to legislate breach notification and that will protect the public.