Half of Canadian executives say they have low or no concerns about a potential breach involving their own business, a new survey for the federal privacy commissioner has found.
The survey of 1,014 Canadian senior decision-makers with responsibility and knowledge of their company’s privacy and security practices was conducted last fall. Asked to rate their level of concern about a possible data breach, nearly one-quarter (23 per cent) of respondents said they are extremely concerned., whereas 36 per cent said they were not concerned at all. Overall, nearly half (48 per cent) were moderately concerned (scores of three or higher on the seven-point scale) and half (50 per cent) expressed low or no concern at all.
The responses alarmed privacy commissioner Daniel Therrien.
“The low level of concern amongst some businesses is surprising given the significant number of major breaches we see occurring,” he said in a statement. “The risk of a breach is an issue every business that collects and uses personal information must be alert to. Breaches can have negative consequences for affected individuals, but also for the organization, including, for example, loss of consumer trust.”
Compared to a similar survey run by the office three years ago, concern over data breaches has actually decreased among Canadian businesses. Then the proportion of executives not concerned about a possible breach was 44 per cent.
Only four in 10 firms said they have policies or procedures in place in the event of a breach involving customer personal information—a number that remains unchanged since 2015. Just over half of respondents said their company does not have any breach response protocols or procedures in place (eight per cent were uncertain whether or not their business has protocols).
However, approximately two-thirds of respondents (68 per cent) said their company attributes high importance to protecting the personal information of their customers.
The survey was commissioned by the Office of the Privacy Commissioner of Canada to better understand the privacy awareness and practices of businesses. The results can be considered accurate to within plus or minus 3.1 per cent, 19 times out of 20.
David Swan, the Alberta-based director of cyber intelligence for the Centre for Strategic Cyberspace and Security Science, found the survey results “disappointing … also rather frustrating. The last of awareness is dangerous ” — but not unexpected. Canadian news media don’t cover cyber security very well, he said, federal parties don’t have solid security policies, provincial governments aren’t publicly vocal on the issue and local police departments don’t have the resources to investigate data breaches. “So Canadian business is operating in something of a vacuum,” he concluded.
Some survey respondents may not have a lot of personal data of customers and may see protecting the little they have as a relatively low priority, he agreed. Still, Swan added, they ought to see themselves as targets.
“In Alberta there’s a lot of companies that support the energy sector, and there are some really interesting small to medium sized businesses who have technical specialties. Their intellectual property and their client list is their lifeblood. And many of them don’t see themselves as targets, and really they are. It’s terrifying.”
Privacy expert Ann Cavoukain found the fact that concern among business executives about a possible data breach has gone down since the last survey “astounding.”
For months there have been news stories on the upcoming European Union General Data Protection Regulation (GDPR), data breaches and polls showing public concern over breaches is going up while trust in organizations’ ability to protect personal data is going down. “I don’t know how they (business leaders) could be so clueless,” she said.
Governments, the IT industry and business associations need to work harder to raise business awareness, she said.
Kevvie Fowler, partner and national resilience leader at Deloitte Canada, said the survey implies there’s complacency among some businesses. While only 40 per cent of respondents said they have a data breach response policy, many are aware of and feel their firm complies with Canadian privacy law. It suggests some organizations are mistaking compliance with security, he said, “which of course isn’t the case.”
Fowler also said that many firms he talks to don’t realize the personal data they keep on customers is sensitive. They don’t think basic information — names, addresses, phone numbers and email addresses — is as sensitive as, for example, a social insurance number and needs good privacy and security controls.
The need to comply with the upcoming mandatory data breach notification law and, for some organizations, to meet the requirements of the new European Union’s General Data Protection Regulation (GDPR) will help raise awareness of the need for incident response and privacy control, he said.
Kellman Meghu, former Americas security architect for Check Point Software and now a Toront0-based consultant, said he is “shocked and disappointed” at the number of respondents saying they aren’t concerned at all about a possible data breach. “We know first hand the impact of ransomware on a company and its data. How are you not terrified about the potential of a breach? And to just think ‘won’t be me ‘ is pretty much sticking your full head in the sand. I would be extremely disappointed to find out an organization was taking that stance with my data.”
The survey also found that small businesses had lower levels of awareness of their privacy responsibilities than larger organizations, with 43% of small businesses indicating awareness versus 64 per cent of large organizations (100+ employees).
Nearly three-quarters of respondents said their company stores the customer information it collects on-site electronically, a change from previous years, when storing information on paper was the top storage method. Paper this time was 56 per cent Other methods of storing customer information include the use of portable devices, like laptops, USB stick, or tablets (26 per cent), and off-site with a third-party (18 per cent).
About 94 per cent of the businesses surveyed use at least one security method to protect the personal information of their customers, no change since the 2015 survey. Similar to 2015, the most common measures employed are passwords (78 per cent) and physical measures (77 per cent). A smaller proportion of respondents said their company uses organizational controls (60 per cent), technological measures (59 per cent), and system review tests and security updates (55 per cent).
Consistent with 2015, approximately two-thirds of surveyed business executives (68 per cent) said their company attributes high importance to protecting the personal information of their customers. Nearly half or more said they have a designated privacy officer (59 per cent), internal policies for staff that address privacy obligations (50 per cent), and procedures for dealing with customer complaints (51 per cent) or customer requests to access their personal information (47 per cent). These results are virtually unchanged since 2015. In addition, 37 per cent (up from 32 per cent in 2015) provide staff with regular privacy training and education.
Among companies saying they have a privacy policy (486 of respondents), more than nine in 10 say it explains in plain language what personal information is being collected and for what purpose it is being collected. In addition, three-quarters of these companies say they have a privacy policy that clearly explains which parties the collected personal information will be shared with.
Still, among the companies with a privacy policy, only half (52 per cent) explain the risk of harm in the event of a breach in their policy.
In an interview, Anne-Marie Hayden, the privacy commissioner’s director of communications, was asked if a question that asks “are your worried about a data breach,” provides useful information. An executive who might think, for example, worrying about cyber security is the job of the IT department. Or the exec may think he or she isn’t paid to worry.
Hadyen said the answer to that question should be looked at in context with the question on whether the organization had procedures in place to handle a breach. Over half said they had no procedure, she pointed out. She also noted that respondents were senior decision-makers with responsibility and knowledge of their company’s privacy and security practices.
“Senior management support is key to a successful privacy management program and essential for a privacy respectful culture,” she said. “When senior management is committed to ensuring that the organization is compliant with privacy legislation, the program will have a better chance of success, and a culture of privacy will more likely be established.”
(NOTE: This story has been updated from the original to include comment from Anne-Marie Hayden of the privacy commissioner’s office, and comments from Ann Cavoukian, Kellman Meghu and Kevvie Fowler)