In Quebec, a new law that came into effect on September 22 – Law 25 – obliges any company that is the victim of a data leak to notify the Commission d’accès à l’information du Québec.
• Read also: Victim of a cyberattack, Sobeys opts for omerta
The companies concerned must also have designated a person responsible for the protection of personal information and have published their title and contact information on the company’s website.
In the case of a ransomware-type attack, there is no guarantee that a data leak has taken place.
“It’s quite possible, but we can’t be sure until the company says so,” explains Sylvain Lussier, of EVA Technologies, which specializes in computer security.
Still “immature”
Law 25 is still “immature”, continues the expert, that is to say that it is new and that it has still not rubbed shoulders with the judges in court, that it has not been “interpreted”.
While Quebecers are now better protected thanks to this law, the fact remains that the majority of businesses are not yet up to speed.
“It’s so recent that companies aren’t ready,” explains the big boss of EVA Technologies, Éric Parent.
Some provisions of the law force companies to act now, while others will be in effect in September 2023.
Be that as it may, the law in its current form allows Quebecers to be notified in the event of a “confidentiality incident” concerning their personal information.
We will know in the next few days if Sobeys has been the victim of a data breach.
Yesterday, the Commission d’accès à l’information du Québec did not respond to requests from the Log on this subject.