Equifax hack: How safe is your personal information?

In May, 143 million Americans had some of their most sensitive personal information exposed when Equifax, a credit rating company was hacked.

Here in Canada, it's believed about 100,000 people had their information breached.

Equifax says it only discovered the breach in July and went public with the news about two weeks ago.

Related: What we know about the Equifax breach — and what we don't

Canada's privacy commissioner says it has launched its own investigation.

Ann Cavoukian, a former three-term privacy commissioner for the province of Ontario, says this recent example of what CEOs know and don't report is "just the tip of the iceberg."

She suggests this might be an opportunity to introduce legislation "where CEOs will be required to disclose any material data breach upon discovery and personally certify the effectiveness of the internal controls over data security."

"And if they do something like that, everyone will take note that you've got to get in front of this. You can't allow these securities to lapse and then just take care of it after the fact," she tells The Current's Friday host Susan Ormiston.

'Risk to revenue'

Katherine Thompson points out that "government quietly announced … they will be making changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). So that's a step in the right direction."

Thompson, chair of the cyber council at the private sector tech advocacy group, Canadian Advanced Technology Alliance, explains how the legislative changes will affect the marketplace.

"Private sector companies, irregardless of size, whether you're three employees or 3,000 employees, in the incident of a cyber attack or a breach, they have to mandatorily disclose to the Office of the Privacy Commissioner going forward," Thompson tells Ormiston.

Related: Equifax data breach a 'digital disaster' for Canadians

"They also have to notify any and all people that … have been impacted by this in a certain period of time [and] there's going to be specific fines levied up to $100,000 per offence."

Thompson says the biggest hit will be felt by the small business.

"For small to medium-sized enterprises in Canada, it's no longer a data breach, it's no longer a security risk, it's a risk to revenue."

What can Canadians do?

Year after year, the cause of data breaches is human error, says Thompson.

"So to look at cybersecurity as just an IT (information technology) issue is a siloed approach. You need to understand that it is a multifaceted people issue so they need to be involved in it," she tells Ormiston.

Thompson says Canadians have embraced digital economy — "we're certainly avid users of it but with the rewards of that digital economy come significant risks."

"We need to educate Canadians about what the risks are."

Beauceron Security CEO David Shipley, who specializes in cybersecurity, agrees with Thompson.

"People process culture and technology."

"When we help companies, we help them look at their whole risk and we work on patching their people, not just patching their systems, " says Shipley.

But when it comes to being proactive, Shipley says , "you can't do anything."

"Everything in place is all reactive."

"The reality is is that we have built a house on sand with respect to the digital economy, and we didn't properly architect how we do digital identity and digital signing and proof of who I am online — and now we're paying for it."

The Current did reach out to Equifax for comment but have had no reply from the credit rating agency.

Listen to the full segment near the top of this web post.

This segment was produced by Winnipeg network producer Suzanne Dufresne and Vancouver network producer Anne Penman.