Canadian Data Breaches

Nov. 1st Legislation: Canadian Data Breaches Must Be Reported to the Government

Beginning November 1st, 2018, companies that collect customer data must report Canadian data breaches that create “a real risk of significant harm to individuals”. Think confidential information such as SIN’s, banking information, health and legal matters. Both the Canadian government, specifically the Office of the Privacy Commissioner of Canada, as well as the individuals affected must be notified should confidential information be compromised. If individuals who should be notified are not notified, fines of up to $100,000 per individual will be issued.

 

How does it impact my company?

Organizations must provide a description of what they have done to reduce or mitigate harm in the report to the Privacy Commissioner should a hack occur. As a result, companies must show that they have implemented appropriate security mechanisms for the protection of consumer data. Financial and legal consequences will ensue should companies not take the appropriate steps to ensure Canadian data breach protection.

Consumers will also have grounds to take legal action against organizations that fail to keep personal information secure. Furthermore, corporate reputations and consumer trust will be damaged, impacting the success of compromised organizations.

 

What measures do I have to take?

A single-pronged cybersecurity approach is not enough to stop malicious events from occurring. For example, your company could install cybersecurity software, but if an employee unknowingly begins sharing confidential data with a hacker disguised as a coworker, the software is obsolete. Rather, a holistic approach to cybersecurity ensures all bases are covered in the event of an attack. That’s why SysGen recommends a three-pillar strategy to effective cybersecurity support. This includes people, policy and technology. “People” ensures that staff are educated to conduct appropriate cybersecurity behaviour. “Policy” ensures that effective corporate policies enforce corporate behaviour. And “technology” ensures the right technologies are in place to prevent a cyber attack from infiltrating company information.

In order to comply with the requirements needed for mandatory Canadian data breaches notifications, organizations should take the following steps: (SOURCE: Miller Thomson LLP)

First, ensure that the organization has written policies and systems in place allowing for internal monitoring, tracking and reporting of Canadian data breaches.

Second, ensure that organizational policies address containment, investigation, notification and remediation of Canadian data breaches and reflect the new requirements. This may include the development of a “matrix” allowing the organization to quickly determine whether the “real risk of significant harm” threshold has been met for notification purposes.

Third, assume that notifications to the Office of the Privacy Commissioner of Canada (OPC) and affected individuals may result in scrutiny of the organization’s security safeguards and overall response to a data breach. This may come in the form of regulatory investigations, legal actions launched by affected individuals (including class actions) or queries from the media.

Fourth, have a written “game plan” that takes into account key factors that matter to the organization (e.g., impact on the brand, operational disruption, etc.) and that outlines the organization’s response strategy.

 

Why is this happening?

In a 2016 public opinion study of Canadian citizens conducted by the Canadian government on privacy rights, the majority (92%) expressed some level of concern about the protection of their privacy. Among those concerned, almost two-fifths (37%) are extremely concerned about the protection of their privacy (up from the 34% in 2014 and 25% in 2012). In addition, three-quarters (74%) of Canadians think they have less protection of their personal information in their daily lives now than they did ten years ago and almost half (48%) of Canadians feel they cannot control how their personal information is collected or used by organizations. (SOURCE)

Canadians want to know how their data is being used and stored. They also want to know if it has been accessed and used by parties who did not receive permission. That’s why mandatory data breach notifications are being implemented.

With the recent Facebook data harvesting scandal where the personal data of 50 million users was used inappropriately, user fears have been proven correct, resulting in greater calls for stronger regulations to protect consumer privacy. In another case, Uber waited a whole year before informing customers that their data had been hacked and that they had paid hackers US$100,000 to destroy the personal data collected.

With the November 1st legislation, these types of corporate missteps will be heavily scrutinized with affected customers notified in a timely manner.

 

What do I have to do if a data breach occurs?

When a data breach occurs a report must be made to the OPC and affected individuals must be notified.

The report to the OPC must include:

– a description of the circumstances and cause of the breach;

– the date or period of the breach;

– a description of the personal information that is the subject of the breach;

– an estimate of how many individuals are exposed to a “real risk of significant harm”;

– a description of what the organization has done to reduce or mitigate harm;

– a description of what the organization has or intends to do to notify each individual; and

– the contact information of a person who can answer the Commissioner’s questions about the breach.

Notification to affected individuals must include:

– a description of the circumstances of the breach;

– the day on which, or the period during which, the breach occurred;

– a description of the personal information that is the subject of the breach;

– a description of the steps taken by the organization to reduce or mitigate the risk of harm to the affected individual resulting from the breach;

– a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;

– a toll-free number or email address that the affected individual can use to obtain further information about the breach; and

– information about the organization’s internal complaint process and about the affected individual’s right, under Personal Information Protection and Electronic Documents Act (PIPEDA), to file a complaint with the Commissioner. (SOURCE)

 

Key Takeaways

By setting up the appropriate security mechanisms to stop data hacks from occurring in the first place, organizations will be saved from the legal, reputational and financial nightmares of Canadian data breaches.

And, should a data breach occur, your organization will be in a strong place with the public and government when reporting on the mechanisms that exist to stop an interference from occurring. It could be the difference between significant reputational and financial damage or the continued growth of a successful, respected organization.

Don’t wait for a breach to happen before taking action. SysGen has a comprehensive enhanced security offering that protects businesses from cybersecurity attacks and data breaches. If you’re interested in exploring SysGen’s holistic security offering contact us today.