On November 1, updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be in effect. Included in these updates are rules involving mandatory notification of Office of the Privacy Commissioner of Canada (and affected individuals) if certain types of security breaches of personal information occur. Considering the repercussions, including fines and legal fees that may be involved with a failure to report, Canadian companies would be wise to address issues related to data security as soon as possible.
Personal Information Protection and Electronic Documents Act
The Canadian government is cracking down on negligent practices with an individual’s personal information. And any breaches of personal data that involve a risk of financial loss, humiliation, identity theft, harm to relationships, or loss of reputation must be reported. Notifications must be made not only to the Office of Privacy Commissioner of Canada but to the individuals affected by the breach. These rules are going to be enforced, and Canadian organizations need to be well acquainted with the guidelines involved.
Breaches Are on the Rise – But So Is
Considering that data breaches, hacking, and other types of cyber crimes are on the rise, organizations should be paying closer attention than ever to their privacy practices. When large corporations like LinkedIn, Facebook, and Equifax suffer from breaches, one would think that companies would be even more diligent about their cybersecurity. However, it seems that the effect has been the opposite.
Recent surveys by the Privacy Commissioner’s Office indicate that far too many businesses are simply not concerned enough with preventing and responding to breaches. Companies seem to have grown more complacent, content with poor password policies, with employees falling victim to social engineering, and having their servers compromised by malware. Phishing emails, drive-by downloads, ransomware, and data theft are all serious problems, but organizations don’t seem to be extremely concerned.
Every organization that uses personal information is at serious risk, though. There are already billions of passwords that have been stolen across the world. Many of them are up for sale along with other private information, on the Dark Web. Cybercrime is reaching epidemic levels, and it makes sense for companies to be much more vigilant.
And the targets are not just large, well-known companies. More and more small to medium businesses are becoming victims of attacks, including ransomware, data theft, and even industrial espionage. In short, no organization is safe from security breaches – and the federal regulations regarding these breaches are the same for both small and large businesses.
Breach Response Plans
These plans are something that exists before the breach ever happens, not after one has occurred. Breach response plans must be developed to comply with federal privacy practices, including mandatory notifications for personal data that has been compromised. In addition, these plans must be updated as regulations are updated. It not only takes time to develop a robust breach response plan, but it also requires experience.
Breaches must be detected quickly to minimize damage. However, detection of such breaches requires systems and tools to intelligently sort through logs and events. It takes special security skills to be able to effectively investigate an alert and perform damage control. Tracking down how a breach happens involves forensic skills.
Detection and response are far more than a report or a system check that is run once a week – it is a continuous process that runs 24/7. Breaches must be detected as soon as possible and the response plan must be enacted immediately after a breach has been confirmed. This is even reflected in the wording about private data breach reporting, which states that the Office of Privacy Commissioner must be notified “as soon as feasible.”
However, the average IT department (and even the typical IT service provider) will not have the kinds of resources and tools to adequately address all the threats that can develop.
Don’t Be Overwhelmed
When major companies, that have powerful security systems and analysts at their disposal, still fall victim to hackers, it can make privacy practices seem overwhelming to small companies. However, things can get worse: The Office of the Privacy Commissioner is also seeking new powers, including the right to enter an organization and confirm that federal privacy practices are in use even if a violation is not suspected. If that happens, will your organization be prepared?
Fortunately, there are solutions in the form of third-party experts who combine key skills such as digital forensics, breach mitigation, and response plan development. They also have access to the tools needed to help your company ensure that it is PIPEDA compliant while reducing the risk of a devastating data breach. Don’t allow your company or organization to become complacent – reach out for the help needed to become PIPEDA compliant.