Article content continued

“There’s too much onus resting on the individual,” Shull said. “The status quo of the way we do data breach enforcement in this country is not sustainable.”

Earlier this week, Capital One announced that a hacker had breached their cloud data systems and stolen personal information tied to around 100 million American customers, and six million Canadian customers.

Of the Canadian customers, roughly one million social insurance numbers were stolen.

The FBI has arrested Paige A. Thompson, who allegedly carried out the breach.

In Canada, both the Office of the Superintendent of Financial Institutions and the Office of the Privacy Commissioner (OPC) have indicated that they’re looking at the incident.

But industry experts say that Canada’s privacy enforcement is mostly toothless, and if the Capital One breach is anything like the last two major privacy breaches, it’s unlikely that there will be serious penalties here.

Earlier this month, credit reporting agency Equifax reached a settlement with the U.S. Federal Trade Commission that includes up to US$700 million in penalties, including payments of $125 directly to customers who were affected.

In Canada, the OPC investigated and made recommendations. Equifax accepted most of what the OPC put forward but refused on one of the recommendations — to offer Canadians a “credit freeze” product to prevent scammers from fraudulently checking victims’ credit scores. While the company offered four years of credit monitoring for Canadians affected by the breach, the company didn’t have to pay a fine.