The Digital Privacy Act changes data breach reporting requirements

Is your business prepared for Canada’s digital privacy data breach notification rules?

What does the cyber risk landscape look like today?

We have seen an increase in the number of malicious cyber attacks across the globe, both in severity and size. These cyber events are impacting companies and customers alike. Small and medium-sized businesses are the most common victims of digital privacy cyber breaches. This is likely the result of the time and resources small and medium-sized businesses can spend on cybersecurity. Saying this, even companies with the most robust security measures – like Yahoo, Target, Apple, and eBay – are not immune to the threat of a data breach.

Recent Canadian data breaches include companies like McDonald’s, Nissan Canada Finance, Uber, Canoe.ca, Bell Canada, and Canadian Tire.

Imagine this – in 2016, over 1.6 billion records (a record is equal to one person’s personal data) were lost or stolen worldwide. North America accounted for over 80% of those lost files. While some people’s information has been taken more than once, that is 1.28 billion records stolen in a population of under 600 million people!

Why do we not hear of more breaches of small and medium-sized businesses in Canada?

Up to November 1st, 2018, companies in Canada have not had to report a breach. Many have chosen not to with hopes that their clients or suppliers do not discover that personal digital information has been stolen.

And now that the November 1st date has passed, there is concern by organizations like the Canadian Federation of Independent Businesses (CFIB) that businesses are not aware and not prepared.

What is PIPEDA?

PIPEDA establishes rules for how businesses handle personal information in commercial settings. Under PIPEDA, individuals must give consent for their personal information to be collected by businesses. The law requires businesses to limit the information they collect and put appropriate data security safeguards in place.

How does the Digital Privacy Act (DPA) change PIPEDA?

The DPA amends PIPEDA and creates three new requirements that force businesses to rethink their data security practices. The DPA requires organizations to maintain records of all data breaches, report most data breaches to the Commissioner, and disclose harmful data breaches to affected individuals.

To get a complete perspective on what these new rules mean to your business, download our whitepaper: The Bryson Insurance Guide to the Digital Privacy Act. This includes information on what is changing, reporting requirements, what constitutes ‘harm,’ the role of the federal commissioner, data-breach record-keeping requirements, methods to prepare, and more.

Is it time for a Cyber Insurance quote?

That is really up for you to decide. We believe in informed decisions. The cost of a data breach can be high. There is much more to consider than the cost of notifying everyone required and the cost of getting data back (if possible).

Three simple questions to consider include:

• How to best handle the public relations component to minimize damage to trust?
• What if a cyber breach shuts down our operations by shutting down our IT infrastructure?
• What if we lose pertinent information to doing business and are unable to recover it?

We really believe it is in your company’s best interest to find out how much it would cost to give yourself the peace of mind you deserve. Your focus and resources are best used to manage and grow your business, not on trying to save face with clients, suppliers, and staff after a data breach.