When It Comes To Mandatory Breach Reporting, Hope Is Not A Strategy
Insight Cyber Risk experts at Deloitte educate business owners on how implementation of new Mandatory Breach Reporting will affect small and medium businesses.
In 2015, the Canadian government introduced the Digital Privacy Act, which amended the existing federal private-sector privacy law (PIPEDA) to provide stricter requirements for organizations that manage customer information, including retailers, banks, airlines, marketers, and private businesses. These include mandatory data breach reporting requirements that are expected to come into effect in the fall of 2017, exposing organizations to potential privacy class action lawsuits and increased costs associated with managing breaches.
While small and mid-sized businesses will face a more significant challenge when it comes to the resources — both human and financial — required to comply, the fact is that all organizations of every size must take steps to implement an appropriate breach tracking, response, and notification program.
The new requirements
Once the new breach reporting rules are in effect, organizations will be required to notify any affected individuals, as well as the Office of the Privacy Commissioner of Canada, of any data breach that creates a “ real risk of significant harm to the individual.” They must do so “as soon as feasible” or face fines of up to $100,000.
“Significant harm” can include humiliation, damage to reputation or relationships, and identity theft, and while businesses will be left to make their own determination regarding how quickly to report, report they must. They must also provide the Privacy Commissioner with a record of all security breaches upon request.
While some aspects of the legislation have yet to be clarified — for example, direction regarding what must be reported and what the reporting mechanism will be — the essential goals of the legislation are clear, and the government is taking a strong stance on enforcement. The Privacy Commissioner has the power to post breach notifications, bringing the risk of class action lawsuits to the fore.
Hope is not a strategy, so prepare today
While every organization’s needs will be different, the first step toward compliance is to take stock of your assets in order to assess what information may be at risk of a potential breach. Next, evaluate your current cybersecurity capabilities and see where you stand with respect to the new requirements. While the requirements won’t change your core cybersecurity needs, they will add increased risk for those whose systems are not already sufficient — which should be encouragement to make the necessary changes now.
For small- and medium-sized businesses with strained resources, seeking third-party assistance to assess your data assets and develop an appropriate security framework and breach response plan can be wise. There are also several preventative measures all businesses should consider putting in place. These include:
- Gaining an understanding of your online profile and which groups might target you through social media or other digital channels
- Using threat-intelligence enabled, multi-layered endpoint security, network security, and reputation-based technologies to uncover potential risks
- Retaining a third-party firm for crisis management/incident response
- Running practice drills to ensure you have the skills necessary to respond effectively
All organizations also need to think through the impact of the strict new record-keeping requirements, and implement and maintain both tracking and reporting mechanisms to document all attacks, if they haven’t done so already. For more mature or larger organizations, cyber liability insurance may make more sense when overall breach response costs are considered.
As the cyber threat landscape evolves, organizations’ breach response strategies must be transformed from a multifaceted process into one cohesive response that incorporates the legal, privacy, insurance, cyber, and forensics teams. With a proactive, coordinated, and cohesive approach, organizations can take mandatory breach reporting in stride, instead of on the chin.