OTTAWA — Canada's privacy czar said Wednesday the "alarming trend toward ever-bigger data breaches" means it's time to give her the power to slap corporations with huge fines if they don't protect the personal information of their customers.

Jennifer Stoddart, speaking at the Canada 3.0 forum in Stratford, Ont., made the comments in the wake of a massive privacy breach involving tens of millions of Sony's online gamers and PlayStation customers worldwide, including many in Canada.

"I am deeply troubled by the large number of major breaches we are seeing, including serious incidents in recent weeks that have affected hundreds of thousands of Canadians," Jennifer Stoddart said in her address.

"It seems to me that it's time to begin imposing fines — significant, attention-getting fines — on companies when poor privacy and security practices lead to breaches.''

Under Canada's privacy law governing the private sector, Stoddart has no power to impose any fines and companies are not required to report breaches to her office.

The Conservative government's most recent proposal to update the law, which died when the federal election was called, did not include any powers to impose fines.

The bill, expected to be reintroduced, included a provision for mandatory reporting to Canada's privacy watchdog if a company experiences a material breach. The legislation spelled out a different process for public notification, leaving it up to companies to decide whether the breach was serious enough to inform their customers.

In the case of Sony, Stoddard said Wednesday she was "very disappointed" the company did not proactively notify the Office of the Privacy Commissioner of the massive breach, even though Sony was not required to do so under the current law.

"On the private-sector side, we have seen an alarming trend toward ever-bigger data breaches," Stoddard said in her address at the conference, organized by Canadian Digital Media Network.

"Only last week, Sony revealed that it had been attacked by hackers who obtained the names, addresses, email addresses, birth dates, usernames, passwords, log-ins, security questions and what Sony says was encrypted credit card data from 77 million PlayStation Network accounts."

Since Sony announced the initial breach last week involving its PlayStation network, the company revealed Tuesday it was the target of a second attack by hackers which, while not affecting the debit or credit card information of Canadian online gamers, may have exposed their personal information, raising the spectre of identity theft. This second breach at the Sony Online Entertainment division involved about 25 million customers worldwide.

In an interview, Stoddart said she will be writing Industry Canada in the next few weeks to ask the government to consider updating its legislative proposal when reintroducing amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). That's because much time has passed since she provided feedback about the private-sector privacy law as part of PIPEDA's statutory review.

"What has happened in Canada was, because of the difficulty in getting legislation through the minority Parliament, that its passing had been delayed by several years. And as time went on, this particular proposal was increasingly out of sync with the trend and out of sync with the continuing occurrence of major data breaches. They just seem to be getting bigger and bigger," Stoddart said of her push to impose fines.

Meanwhile, her office remains in communication with Sony to better gauge what happened and find out what Sony is doing to deal with the matter.

And in a letter released Wednesday to members of a U.S. House of Representatives committee, Kazuo Hirai, chairman of Sony Computer Entertainment America, defended the actions of the company against this "large-scale cyber-attack."

Hirai also noted the company has taken responsibility "for our obligations to our customers" and apologized for the "inconvenience caused by the illegal intrusion into our systems."