In an update to the Personal Information Protection and Electronic Documents Act (PIPEDA), new regulations come into force on November 1st, 2018. These regulations mandate notifications of security breaches which have a “real risk” of identity theft, humiliation, financial loss, or harm to reputations and relationships. Businesses must notify the Office of the Privacy Commissioner of Canada and affected individuals “as soon as feasible”.
Despite the significant impact to business, the changes have received little attention in the press or from the federal government. “In addition to taking steps to reduce the risk of a breach, businesses need to know how to respond appropriately should an incident occur,” notes Daniel Therrien, Privacy Commissioner of Canada. “That includes knowing the legal requirements for reporting breaches to my office and notifying affected individuals.”
The Privacy Commissioner’s office published a recent survey which indicates businesses are increasingly complacent about data breaches. “The low level of concern amongst some businesses is surprising given the significant number of major breaches we see occurring,” says Commissioner Therrien. “The risk of a breach is an issue every business that collects and uses personal information must be alert to.”
Business leaders may want to reconsider their complacency. The Office of the Privacy Commissioner is seeking new powers including the power to enter an organization and independently confirm that the principles in federal privacy laws are being respected – even if a violation of law is not suspected.
Complacency would be understandable if we were winning the war against hackers, scammers, and cybercriminals. We are not. Cybercriminals have stolen billions of corporate and personal passwords. Many of the passwords are up for sale on the Dark Web. Worse, some organizations have poor password policies, allowing employees to use the same password for long stretches of time.
From LinkedIn to MyFitnessPal, from Equifax to Facebook, mass breaches are snowballing. It’s not just the big players being hit. Small and medium enterprises (SMEs) are soft targets for ransomware, social engineering, data theft, and espionage. CIRA reported that last year 19% of businesses suffered ransomware and 32% had divulged personal information through a phishing attack.
Organizations must step up their ability to detect, assess, and respond to cybersecurity and privacy breach incidents. That is a big ask. Detection involves complex tools and systems to sift through a mountain of events and logs. Security professionals need advanced skills to triage and investigate alerts. It takes time and effort to develop and test response plans. A thorough incident investigation demands forensic experience.
If the Privacy Commissioner comes calling, how can a small or medium enterprise competently respond? Will the organization know before stolen data is used to damage customers, suppliers, investors, or the brand?
Most IT departments and IT service providers do not have the resources to develop the expertise and systems to address today’s cybersecurity challenges. In today’s “always connected” world detection and response must be 24X7, or it’s not very useful. Fortunately, there are options.
Cybersecurity competency was once the exclusive domain of large enterprises. Now, managed security service providers have stepped up to fill the void, offering businesses a shortcut to cybersecurity maturity. For example, F12.net offers Dark Web Monitoring and F12 Secure solutions designed for businesses with between 20 and 300 people.
Where should a concerned business leader start? A 3rd Party Security Assessment will arm you with analysis of your security posture, will alert you to “weak links,” and will advise you of steps to take. If you are ready to step up the game for your organization, talk to F12.net today. Book a consultation to get started.
You may also appreciate our white paper: