In Canada, Acceptance of Security Negligence Enables Privacy Violations
Acceptance is enabling. There is no other way to say it, but Canadians simply can’t be bothered to question data breaches, to report privacy violations or to care about the security of their own data in the hands of big name companies. According to the IAPP, the number of Canadians who reported no concerns whatsoever about the privacy of their data online increased by over 50% between 2018 and 2020.
Is there virtue in embracing Tim Horton’s as a venerable Canadian brand, when its Brazilian overlords placate Canadians with donuts in exchange for blatant surveillance of customers? The implication is not just that the class action lawsuit has such little chance of success that it might as well be turned into a PR stunt, but also that the company has no reason to delete the ill-gotten data unless victims stoop so low as to accept their coupon for a beverage and a pastry.
Equifax, LifeLabs, IKEA, Canada Post, TransUnion, Bell Canada, Nissan Financial, Medicentres, Desjardins, Ashley Madison, Capital One and dozens of others have suffered preventable data breaches and since then, it’s been business as usual. Even school boards have joined the racket, leveraging the pandemic to push privacy invasive “edtech” technologies on students and their families under the guise of modernization. According to a 2017 Centrify study, while big brands can take as much as a 7.5% hit to their stock market price immediately after a data breach, the losses are often erased after as little as a week.
Where there is no security legislation, privacy regulations are largely unenforceable. Since 1948, privacy has been a right afforded to all humans, but without safeguards in place to enforce it, how can it ever be assured? Security controls are the glue that holds data protection together, enabling personal information to be handled with predictable consistency and ensuring that violations are detected, minimized and systematically corrected. In fact, the debate over whether the human right to privacy should be respected is still ongoing, with no resolution in sight.
Over the past 10 years, Canadian breaches have become so common they’ve been surfacing even in the absence of enforced regulations mandating reporting. While most continue to be swept under the rug, many become public and fade away as soon as they’re reported. The reputational impact is so negligible that companies do not hesitate to partner with foreign service providers and hide their indemnification clauses in the legalese that no one reads as they summarily access websites, install mobile apps and use ubiquitous cloud services.
If we want to have any sort of control over our own rights as citizens, we need to step up and contribute by taking advantage of the mechanisms that are afforded to us, even if they are not perfect:
> report security violations of Canada’s Anti-Spam Law to the CRTC
“Never be a spectator of unfairness or stupidity. The grave will supply plenty of time for silence. Beware the irrational, however seductive. Suspect your own motives, and all excuses. Do not live for others any more than you would expect others to live for you.” — Christopher Hitchens