Is your business prepared for Canada's data breach notification rules?
What does the cyber risk landscape look like today?
Across the globe, both in severity and size, we have seen an increase in the number of malicious cyber attacks. These cyber events are impacting companies and customers alike. Small and medium-sized businesses are the most common victims of cyber breaches. This is likely the result of the time and resources small and medium-sized businesses can spend on cyber security. Saying this, even companies with the most robust security measures - like Yahoo, Target, Apple, and eBay - are not immune from the threat of a data breach.
Imagine this - in 2016 over 1.6 billion records (a record is equal to one person's personal data) were lost or stolen worldwide. North America accounted for over 80% of those lost files. While some people's information has been taken more than once, that is 1.28 billion records stolen in a population of under 600 million people!
Why do we not hear of more breaches of small and medium-sized businesses in Canada?
Up to November 1st 2018, companies in Canada have not had to report a breach. So many have chosen not to with hopes that their clients or suppliers do not discover that personal digital information has been stolen.
And now that the November 1st date has passed there is concern by organizations like the Canadian Federation of Independent Businesses (CFIB) that businesses are not aware and not prepared.
What is PIPEDA?
PIPEDA establishes rules for how businesses handle personal information in commercial settings. Under PIPEDA, individuals must give consent for their personal information to be collected by businesses. The law requires businesses to limit the information they collect and put appropriate data security safeguards in place.
How does the Digital Privacy Act (DPA) change PIPEDA?
Simply put, the DPA amends PIPEDA and creates three new requirements that force businesses to rethink their data security practices. The DPA requires organizations to maintain records of all data breaches, report most data breaches to the Commissioner and disclose harmful data breaches to affected individuals.
To get a more complete perspective on what these new rules mean to your business, download our whitepaper: Your Guide to the Digital Privacy Act. This includes information on what is changing, reporting requirements, what constitutes 'harm', what the role of the federal commissioner is, data-breach record-keeping requirements, methods to prepare and more.
Is it time for a Cyber Insurance quote?
That is really up for you to decide. We believe in informed decisions. The cost of a data breach can be significant. There is much more to consider than the cost of notifying everyone required and the cost to getting data back (if possible).
Three simple questions to consider include:
- How to best handle the public relations component to minimize damage to trust?
- What if a cyber breach shuts down our operations by shutting down our IT infrastructure?
- What if we lose pertinent information to doing business and are unable to recover it?
We really believe it is in your company's best interest to simply find out how much it would cost to give yourself the peace of mind you deserve. Your focus and resources are best used on managing and growing your business, not on trying to save face with clients, suppliers and staff after a data breach.