With less than a month to go before Canada’s mandatory breach notification regime an expert doubts many of the country’s organizations are ready.
“Based on what I’m hearing, not that prepared,” Danny Pehar, a speaker at this year’s annual SecTor conference in Toronto, said in an interview.
“But they’re getting there,” he added.
The president of Cyber Insurance Education, a consultancy, Pehar said that “a lot of organizations when I ask them what their thoughts are, a lot are saying, “I think we’re prepared, but I’m not that familiar with it.”
However, he’s optimistic. ”I think response [to a cyber incident] is the last piece of the [security strategy] puzzle,” he said.
“Canadians have gotten very good at the prevention aspect of security, they started getting better at the protection aspect, and now response is the final piece. We have to be able to respond when we get hit.”
Being prepared with a response plan is what the new breach notification provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law for companies coming under federal jurisdiction, is about, he said.
Understanding the new obligations is what Pehar’s session was about.
It’s not like CIOs, CISOs and privacy officers haven’t known this was coming. The notification obligations were added to PIPEDA in 2015. The private sector was given almost three years to consult with the government on the regulations, which fill in some of the fine details (records have to be kept for at least two years). Those regulations were finalized in April, giving
companies seven months to prepare.
Basically, Pehar said, the mandatory notification rules govern what companies should do after their security controls have been breached, including record-keeping.
Note that the law now requires organizations to keep a record of all breaches of security controls, regardless of whether personal identifying data has been stolen. Those records, Pehar added, can be seen by the federal privacy commissioner, and, if he/she deems it to be in the public interest, can publish them.
The law also details
— who needs to be notified: Affected individuals and the federal privacy commissioner;
— what breaches require notification: Those that create a real risk of significant harm to a person
(including humiliation, identity theft, damage to reputation.).
Real risk requires consideration of the sensitivity of the information, the probability of misuse of the data and any other prescribed factor (and so far there are none).
So, for example, a list of just stolen names of subscribers to a hockey fan site might not be sensitive, but if they were members of a sexual assault victims group probably is.
–when notification needs to happen: ‘As soon as feasible’ after a breach has been discovered. Don’t think about lying to the privacy commissioner, ‘we didn’t see it until a week ago,’ said Pehar.
–what the notification has to include: The circumstances of the breach, what personal identifiable information was taken, an, estimate of the number of individuals at real risk of significant harm, and the steps the organization has taken to prevent a similar incident. The notification can be updated as more is learned.
–how notification can me made: Email, telephone, letter or in person. Indirect notification (on a web site or newspaper ad) is permitted in certain circumstances, such as the organization doesn’t have recent contact information.
It’s important companies have a breach response plan, Pehar said, starting with understanding what data assets you have. Managers then have to ensure there is a response process in place (what will be done if there is a breach, who on staff/outside the company will be called, is there a designated crisis room, is there cyber insurance coverage).
“Organizations must now, more than ever, ensure they have in place internal safeguards, policies and procedures to adequately detect, escalate, and respond to privacy incidents,” Pehar concluded.