F12 Blog

New Notification Regulations a “Perfect Storm” for Canadian Businesses

Canadian Privacy Regulations

Canadian businesses are facing a perfect storm of new notification regulations, rampant data breaches, and inadequate cybersecurity defences.

Mandatory regulations place new demands on businesses

In an update to the Personal Information Protection and Electronic Documents Act (PIPEDA)new regulations come into force on November 1st, 2018. These regulations mandate notifications of security breaches which have a “real risk” of identity theft, humiliation, financial loss, or harm to reputations and relationships. Businesses must notify the Office of the Privacy Commissioner of Canada and affected individuals “as soon as feasible”.

Despite the significant impact to business, the changes have received little attention in the press or from the federal government. “In addition to taking steps to reduce the risk of a breach, businesses need to know how to respond appropriately should an incident occur,” notes Daniel Therrien, Privacy Commissioner of Canada. “That includes knowing the legal requirements for reporting breaches to my office and notifying affected individuals.”

The Privacy Commissioner’s office published a recent survey which indicates businesses are increasingly complacent about data breaches. “The low level of concern amongst some businesses is surprising given the significant number of major breaches we see occurring,” says Commissioner Therrien. “The risk of a breach is an issue every business that collects and uses personal information must be alert to.”

Business leaders may want to reconsider their complacency. The Office of the Privacy Commissioner is seeking new powers including the power to enter an organization and independently confirm that the principles in federal privacy laws are being respected – even if a violation of law is not suspected.

Data breaches are escalating

Complacency would be understandable if we were winning the war against hackers, scammers, and cybercriminals.  We are not. Cybercriminals have stolen billions of corporate and personal passwords. Many of the passwords are up for sale on the Dark Web. Worse, some organizations have poor password policies, allowing employees to use the same password for long stretches of time.

From LinkedIn to MyFitnessPal, from Equifax to Facebook, mass breaches are snowballing. It’s not just the big players being hit. Small and medium enterprises (SMEs) are soft targets for ransomware, social engineering, data theft, and espionage. CIRA reported that last year 19% of businesses suffered ransomware and 32% had divulged personal information through a phishing attack.

The challenge of detection and response

Organizations must step up their ability to detect, assess, and respond to cybersecurity and privacy breach incidents. That is a big ask. Detection involves complex tools and systems to sift through a mountain of events and logs. Security professionals need advanced skills to triage and investigate alerts. It takes time and effort to develop and test response plans. A thorough incident investigation demands forensic experience.

If the Privacy Commissioner comes calling, how can a small or medium enterprise competently respond?   Will the organization know before stolen data is used to damage customers, suppliers, investors, or the brand?

The challenge for IT departments

Most IT departments and IT service providers do not have the resources to develop the expertise and systems to address today’s cybersecurity challenges. In today’s “always connected” world detection and response must be 24X7, or it’s not very useful. Fortunately, there are options.

Solutions are available

Cybersecurity competency was once the exclusive domain of large enterprises.  Now, managed security service providers have stepped up to fill the void, offering businesses a shortcut to cybersecurity maturity. For example, F12.net offers Dark Web Monitoring and F12 Secure solutions designed for businesses with between 20 and 300 people.

Where should a concerned business leader start? A 3rd Party Security Assessment will arm you with analysis of your security posture, will alert you to “weak links,” and will advise you of steps to take.  If you are ready to step up the game for your organization, talk to F12.net today.  Book a consultation to get started.


You may also appreciate our white paper:

What You Need to Know About Cyber Insurance

Vancouver Office

200 – 17577 56 Avenue, Surrey, BC V3S 1C4
View Location >

Nelson Office

A – 1016 Seventh Street, Nelson, BC V1L 7C2
View Location >

Courtenay Office

917C Fitzgerald Avenue, Courtenay, BC V9N 2R6
View Location >

Edmonton Office

13555 156 Street NW, Edmonton, AB T5V 1R9
View Location >

Toronto Office

220 Markland Street, Unit A-2, Markham, ON L6C 1T6
View Location >

Victoria Office

329 – 1095 McKenzie Avenue, Victoria, BC V8P 2L5
View Location >

Vernon Office

101 – 1325 Polson Drive, Vernon, BC V1T 8H2
View Location >

Calgary Office

11 – 3110 14 Avenue NE, Calgary, AB T2A 6J4
View Location >

Red Deer Office

8 – 4699 61 Street, Red Deer, AB T4N 7C9
View Location >