Canada is the laughingstock of the world when it comes to privacy. The Canadian Tire data breach is likely going to be the latest example.
It’s been a while since we got a fresh reminder of why Canada’s privacy laws are a complete and total joke. Reports are surfacing that Canadian Tire has become the latest company to suffer from a data breach. Personal information was exposed to unauthorized third parties as a result. From the CBC:
Canadian Tire Corp. Ltd. says it has identified a data breach involving personal information belonging to customers, which was stored in an e-commerce database.
The retailer says the breached information belongs to shoppers who had an e-commerce account with Canadian Tire or its other banners, SportChek, Mark’s/L’Equipeur and Party City.
The breached data included names, addresses, emails and birth years, as well as encrypted passwords and in some cases incomplete credit card numbers.
Canadian Tire says the full dates of birth for some 150,000 account holders were also part of the breach.
From a non-litigation perspective, the consequences of this are going to be non-existent. The only thing that the law allows is a strongly worded letter from the Privacy Commissioner (either federal, provincial, or both). After that, the company is basically free to just shrug their shoulders with this whole thing and carry on with business as usual. The worst case scenario is that customers figure out that they were the ones compromised (not an easy thing to do) and take the law into their own hands and file a lawsuit. Then, it’s up to the victims to get some minor form of compensation for having things like their bank accounts cleaned out by the perpetrators. Hey, a $20 gift card to Canadian Tire is worth all of this, right?
A big part of the problem is the fact that Canadian privacy laws are horribly out of date. I mean, the last time Canadian privacy laws were broadly updated was 25 years ago. At the time, just sending strongly letters seemed to be a proportionate response. After all, the infraction is typically that a paper document didn’t get properly shredded or someone opened a filing cabinet that they shouldn’t have. I mean, how damaging could a privacy breach possibly be?
Well, fast forward all these years later and we are seeing data breaches compromising hundreds of thousands, if not, millions of people all in one shot. It has become a routine headline that barely makes headlines because it’s, well, so common. What’s more, major multinational corporations are the ones losing that data, not some tiny little shop in the downtown core somewhere. It’s how you get corporations like Google learning that they can simply laugh off the strongly worded letter with no consequence.
The reality is that Canadian privacy laws badly need reforming. Canadian’s have been asking for this for years now. During the 2019 election, Canadian political parties heard the calls for privacy reform and, in a united voice, said that privacy reform is something that they’d totally get to. After the election, those political parties proceeded to naval gaze, drum their fingers, throw a few pencils into the ceiling tiles, and let the whole subject drop altogether. Then, when the next election hit, Canadians angrily demanded to know why the heck privacy reform didn’t get passed. Canadian political parties responded that privacy reform is totally a top priority. Most parties said that they’ll totally get right on it. This was followed up by significant delays, a reluctant tabling of a half measure of a privacy bill, repeated slow walking of the legislation, and allowing the bill to die on the orderpaper when the election was called.
Then, during this years election, some people asked again why there is no privacy reform. At that point, political parties largely stopped giving a damn about even raising the issue and largely ignored the issue. It isn’t as though the political parties don’t care about privacy reform. They actually very much do as long as the laws financially benefit their political campaigns. In that case, it’s all about loosening regulations as much as possible so they have access to as much of that sweet sweet personal information so they can micro-target you for advertising afterwards. As for what’s in your interest, nah, they don’t give a flying fuck about you. That would just be an unprofitable move for them, so it makes no sense to actually do things that are in your interest.
So, when people have 24/7 phone calls from scammers, their bank accounts cleaned out, someone illegally putting a second mortgage on their house and making off with that money, or a host of other things that happen to them, oh, too bad. Well, hopefully those victims can figure something out. They’re just politicians. What do you want them to do about it? Ask the companies to do better? Puh-lease! Those companies make way too many campaign contributions for politicians to give a flying fuck.
Still, at least one group is happy about all of this: the criminals that steal this information. After all, there are no security standards to really abide to, so they can just swing by the companies weak point every once in a while and help themselves to more of your private personal information. After all, there’s a pretty good chance that the security hole is still there for them to exploit. They probably make pretty good money off of the easy targets in Canada. So, no doubt they are laughing all the way to the bank.
The people that end up paying the price for all of this are Canadian’s. It’s a price they are forced to pay over and over and over again.
