by: Paul K. Grower
The Personal Information Protection and Electronic Documents Act’s (PIPEDA) new Breach Notification Rules will come into force on November 1, 2018. This article provides a brief synopsis of what these rules entail, but it should not be construed as legal advice. Members of the Winnipeg Chamber of Commerce are encouraged to speak with legal counsel to better understand how the Rules will affect their business.
In order for the Rules to apply, there must be a loss of, unauthorized access to or unauthorized disclosure of personal information that is under the control of a member (in other words, a “breach”).
It is important to note that responsibility for the reports/notifications outlined below will lie with the member if the member controls the personal information. However, if a breach occurs at, for example, an arm’s length storage facility hired by the member to store personal information, it will be BOTH the member’s responsibility and the storage facility’s responsibility to comply with the Rules.
The Rules outline that if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual, the member (and if applicable, any other third party) is then obligated, as soon as it is feasible to do so, to:
In the report filed with the Privacy Commissioner of Canada, the member must (to the extent that the member knows):
It is expected that this report will be updated as information is further gathered/determined.
In the notification provided to the individual, the member must (to the extent that the member knows):
The goal of the notification to the individual is to provide sufficient information to allow the individual to understand the significance to them of the breach, such that they can take steps, if any are possible, to reduce the risk of harm.
Also, it is expected that the individuals affected will be directly contacted by the member (phone, email, mail, etc.), subject to exceptions of harm to the individual and/or hardship to the member and/or lack of contact information. If any of the exceptions apply, indirect notification—via public communications (e.g. media, website, etc.)—will need to be utilized.
The legislation specifies that “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
In determining whether there is a “real risk” of such harm, the sensitivity of the information and the probability that it will be misused need to be considered.
It is important to note that if a breach occurs—and it is determined by the member that it does NOT create a real risk of significant harm to an individual—the member must still maintain a record of the breach for at least two (2) years thereafter. The purpose for retaining these records is to allow the Privacy Commissioner to verify a member’s compliance with the Rules. Therefore, if a breach is not reported to the Privacy Commissioner, the information that would have been provided to the Privacy Commissioner, if it had been reported, must be maintained.
Most importantly, these Rules provide for fines of up to $100,000 if an organization knowingly violates their obligations.
Cybercrimes are growing exponentially, posing tremendous threats to our financial markets, undermining public confidence, violating our privacy and costing hundreds of billions of dollars annually.
A recent PWC survey found over half of Canadians companies have been a victim of cybercrime. Accenture found few Canadians know how to respond to cybersecurity threats.
Booth UC, in partnership with global cyber education leader Cybint, is answering the call and offering two online cyber literacy courses this fall. The courses are relevant for anyone including the public and professionals who are hoping to stay ahead of the growing trend in cybercrime.
Using a unique "micro-learning" concept for maximum retention, these courses offer a comprehensive overview of cybercrimes, covering terminology, best practices to protect against cyber threats, unique online search and analysis techniques, and methods to uncover hidden data and recover deleted data from around the web.
Angela Davis, chair of the business program at Booth UC, says, “Educating everyday users, employees or both on cybersecurity risks is key today. These courses provide that education and also include practical tools that students can start using today. In addition to our financial crimes major in the BBA program, Booth UC is providing unique opportunities for the community to improve cybersecurity."
"Cyber literacy has become a core necessity within the workplace, and the demand for expertise in the cybersecurity and cyber intelligence fields continues to grow," says Roy Zur, Cybint CEO and global cybersecurity and cyber intelligence expert. "Our programs are designed to provide cyber literacy at both the individual level and managerial level – creating a broad network of cyber expertise that extends beyond typical technical expertise and adds value in any professional or business environment."
Although the courses begin this fall, for those looking to secure a spot in these popular courses registration is open now. For additional information contact admissions@MyBoothUC.ca or phone (204) 924-4887 or toll-free: 877-942-6684 ext. 887
Data security and privacy breach: the most pernicious disease facing businesses today. Yet few victims will speak its name. Can your business survive a data security or privacy breach?
ISACA Winnipeg has invited Peter McCabe, Technology Practice Leader & Account Executive at PROLINK to speak on the subject of data security and privacy breach to shine a light on this dark topic.
The presentation will cover the following elements of this disease:
What about cyber insurance? Its purpose is to relieve the financial stress and provide access to experts. It’s only one piece of an ongoing risk management plan.
When: Tuesday, March 27, 2018 from 11:30 AM to 1:15 PM
Where: RBC Convention Centre – Millennium Suite (375 York Ave, Winnipeg)
ISACA Members: $40.00
Register online here
We’ve all seen the headlines “Company X has had their data held for ransom” or worse yet, “Company Y had a data breach and customer information has been stolen”. This only happens to the big Fortune 100 companies, right?
Wrong - cybersecurity is relevant to companies of all sizes and anyone is a target. In fact, 43 percent of cyber attacks target small business.
While your business may only have a security budget that is a fraction of larger enterprises, spending that money wisely can still help you sleep at night. Nothing is ever infallible; however, implementing security measures can go a long way.
Security Measures You Should Have in Place
Cybersecurity works best when implemented in layers, much like how you protect your own house. Working from the outside in, there are several common layers typically implemented in a well-designed system:
Some questions you should ask yourself:
It is vital to know the answers to these questions BEFORE something happens. Time is of the essence when dealing with a data breach or malicious activity and if you are unable to stop the spread quickly, it could be much like a fire in your house: if not quickly contained it can be devastating.
If you are unsure of your company’s cybersecurity defenses, or are unable to answer the above questions that probably means there is room for improvement. Just like with your home, unless you’re experienced in assessing alarm systems, its often best to talk to an expert who specializes in this field. By following these measures and getting a security assessment, you can significantly reduce the risk that cyber threats pose to your business.
Imagine your worst day as a business owner/executive: Accounting calls and says all your financial documents are missing. Five minutes later, Operations calls and tells you the plant is shutting down as none of the systems are working.
Could this all have been avoided?
You've probably seen Board Members and senior executives taking a greater interest in cyber security with mounting coverage of international incidents - and that's a good thing. It is vital decision makers are properly informed to enable them to make better choices in guiding your organization. The ISACA Winnipeg Chapter wants to help security professionals connect senior executives and board members with the information needed to start or further a conversation about Cyber Security.
On Tuesday, September 19th 2017, ISACA Winnipeg Chapter is hosting a breakfast and presentation on Board Responsibilities for Cyber Security. Winnipeg Chamber of Commerce members may attend this event for the ISACA member rate of $20 (plus GST) by using the code PEGCHAMBER.
ISACA is the premier association worldwide for security and audit professionals and practitioners with a strong focus on continuing professional development and learning through sharing to improve IT audit, security and control practices. The award winning ISACA Winnipeg Chapter is internationally renowned for its educational focus and successes, including for hosting the longest running and best known annual security conference in Western Canada. Visit our website at http://isaca-wpg.org/