Businesses are data driven, and enterprises are challenged to both leverage data effectively and manage it. This includes securing it, but also understanding and complying with legislation. The Digital Privacy Act has amended some aspects of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), including introducing a new data breach notification requirement that is not yet in force.
Bernice Karn, a partner at Cassels Brock in Toronto, said the amendments of have been talked about for some time; consultations were due to wrap up at the end of May. PIPEDA was intended to be reviewed every five years since being introduced more than 15 years ago, but she said this is the first major review since its inception.
Changes have already been made to address some of PIPEDA’s gaps, said Karn. For example, there had never been a proper way to deal with the handling of personal information business transaction, such as a customer list or employee information when a business is being sold. There were no provisions in PIPEDA on how to transition that information to the buyer, she said; now there are steps.
One key element of PIPEDA being hammered are guidelines around breach notification and what forms regulations should take. (Alberta is currently the only province in Canada to have generally applicable mandatory data breach reporting requirements for all private sector organizations.) Even then, said Karn, it’s murky as the PIPEDA amendment is pretty broad. “It puts a lot of discretion in hands of the organization that was breached.” Organizations have to make significant judgement call, she said. “It’s a hard thing to figure out. Not every data breach is all that serious.”
Regardless of the legislation is, Karn said organizations need to treat a breach like managing any other crisis. “You need a process in place to handle this that involves being able to identify when a beach happens, bring the right people to the table to contain the problem and mitigate the situation.”
For most organizations, it’s not a question of if they will experience a breach, she said, it’s a question of when. The process they take should include a post mortem to they can learn from it. “It’s a loop. You repeat the loop every time.” And that loop may contain litigation, Karn said.
A lot of organizations didn’t take PIPEDA seriously when it came out. “Fifteen years later, we are realizing there is value in personal data,” she said, and that means having a privacy policy and best practices in place is essential. “You have to pay more than lip service than a plain vanilla policy.”
Karn, who leads her firm’s IT contracting practice, said some organizations are minimizing their risk of a breach by limiting the personal information they collect if possible. “If they don’t have to see it, they don’t want to see it.” But in the world of social media, personal information is currency, she said, with the paradox being the general public is never happy with untoward use of their information, but willing to share reams of it online.
For IT departments, the challenge is to have visibility at the board level of the organization, said Karn, and turning their minds toward issues around privacy and cybersecurity. Ideally, an enterprise should have a subcommittee established conversant areas related around privacy, and more broadly, employees to need have training around the handling of personal information.
Kevin Lonergan, analyst with IDC Canada, also agrees that training is an important piece of the puzzle and that the best way for organizations to comply with PIPEDA and amendments to the Digital Privacy Act is to reduce the possibility of a breach. But most enterprises, he said, have ways to go. “In terms of IT security maturity, many organizations are not at the step where they have a response plan. Many don’t know they are being breached.”
The research firm conducts an annual survey to understand the security maturity of organizations, said Lonergan, and while there are improvements year of year, many have a ways to go. The survey places organizations in four buckets, with the lowest in maturity dubbed “defeatists.” These are companies that know they have breaches, have low confidence in their security and need to spend more money but have budgets constraints. “They are kind of stuck.”
“Denialists” are similar, but have a little more confidence and do spend money on security technology. “The problem they don’t have the training or best practices,” said Lonergan. “They don’t really have a risk management plan in place. They don’t have security roadmap in place.”
Further up the ladder in terms of maturity are “realists,” who experience a less than average number of breaches, are spending and training more, but still don’t have a roadmap or plan going forward. At the very top are “egoists,” who have very high confidence in their security technology, have investment in training, and have a roadmap in place. Lonergan said more than half of organizations surveyed end up in the first and second bucket, and don’t have a risk management process in place.
“Things are going in the right direction,” he said. “Each year organizations become more concerned about security.” That includes an increase of budgets. “One of the biggest drives, has been the media attention we’ve seen from high profile breaches.”
That being said, breaches are becoming routine and not hitting home as much, said Lonergan, so hopefully the PIPEDA changes will spur enterprises to continue the security spending momentum and create roadmaps. “Organizations should worry about improving security stance,” he said. “If they lower the likelihood of being breached, the less likely they have to have to deal with PIPEDA.”