One of the world's biggest insurance companies has registered to lobby the federal government on information breaches, as anti-terrorism Bill C-51 creates more risk by allowing for the sharing of sensitive information across departments and agencies.
Zurich Insurance Group Ltd., a global insurance company based in Switzerland that collects $1.3-billion annually in gross insurance premiums in Canada, registered in late June to lobby federally and identify "concerns for information breaches and mitigating such risks," according to the lobbyist registry.
The company aims to inform the government about the risks of information breaches in the public and private sector, and how security and privacy insurance may not always leave companies and organizations protected.
Greg Irvine, vice-president of specialty products for Zurich Insurance's Canadian unit, said Bill C-51's information transfer provisions create more risk.
"Anytime there's a transfer of information, especially personal identifiable information, there's greater risk of a breach," Mr. Irvine said. "And if there is a breach, will that lead to liability issues or litigation?"
What's the issue?
Information breaches in the public or private sector are a growing concern for companies that are trying to reduce the risk of leaks or hacks and looking to plan for when one occurs.
Mr. Irvine said demand for the company's security and privacy insurance has been growing 50 per cent a year since 2010. He said demand is highest in the financial and health-care sectors, with interest also picking up in the retail market due to the retention of customer data.
The federal government is a massive storehouse of private information that could affect companies and organizations if any of it was to get out.
Hacker network Anonymous claimed responsibility for a denial-of-service attack last month on Canadian government websites, shutting down the websites of spy agencies CSIS and CSEC. CSIS's website was again taken down on Tuesday by another DoS attack, which is a flood of traffic as opposed to a breach.
The government's anti-terrorism bill, C-51, has passed Parliament, and will allow security agencies additional powers to gather intelligence and for information-sharing across government departments and agencies for security purposes.
Zurich Insurance's lobbying registration also identifies Bill C-59, the federal budget bill, as a possible concern. The bill expanded the government's collection of biometric information, such as fingerprints and digital photos, to visitors from 150 countries.
Canadian citizens, companies and public sector organizations can be affected by information breaches. Attacks in recent years in the U.S. have led to major breaches at Sony Pictures, Anthem health care and retailer Target.
"There are increasingly sophisticated attacks being brought by criminal organizations looking to get access to data for all kinds of nefarious reasons, including identity theft," said David Elder, a communications and privacy lawyer with Stikeman Elliott in Ottawa.
Companies and organizations can face big lawsuits from citizens for breaches or the loss of data.
"I can tell you that most clients have acknowledged that it's not if there's an exposure to a cyber breach, but it's when," Mr. Irvine said.
Lisa Murphy, a spokeswoman for the federal Treasury Board, said the government has provided additional funding to protect Canada's cybersystems.
"The Government of Canada has robust systems and tools in place to monitor, detect and investigate potential threats, and takes active measures to address and neutralize them," Ms. Murphy said. "Significant investments in Canada's Cyber Security Strategy are designed to defend against electronic threats, hacking and cyberespionage."
Who's lobbying whom?
Zurich Insurance, which has hired Hill+Knowlton Strategies to lobby in Ottawa, aims to be an information resource for the government as it develops policy, Mr. Irvine said. He said he also wants to explain to the government that security and privacy insurance only covers so much, and that major breaches, such as hacks, can sink companies.
In some jurisdictions, he said, if a government labels a cyberattack an act of war, the insurance would not cover a breach for affected clients.
"I think the government also needs to understand that there are limitations to insurance. We're not the silver bullet. We can't bear all the financial costs," Mr. Irvine said.
At the same time, Zurich is seeking more information about the government's breach notification regime under Bill S-4, as some of the company's clients are looking to Zurich for guidance on the program. Under that regime, organizations will be required to notify individuals of a data breach.
Oakville, Ont.-based FCT Insurance Co. Ltd. is also registered to lobby on the anti-terrorism amendments and the data breach notification regime, among other issues, according to the registry.
Big data companies are also registered on the same issues. Google Inc.'s Canadian division is registered to talk to the government about several pieces of legislation, including Bill C-51 "in respect of internet safety, data protection and online surveillance."
Bill C-51, C-59 and S-4 have passed into law, so there is no opportunity for amendments.
Regulations are expected late this year or next year to clarify the rules surrounding the government's information breach notification regime, which also requires companies to keep records of breaches.
Simon Doyle covers lobbying and the intersection of business and politics in Ottawa. He writes for Politics Insider, which is only available to subscribers of Globe Unlimited.