Risk Management in a New Era
Cybersecurity and The Digital Privacy Act
By: Mark Walsh
There are two types of companies: “those that have been hacked and those that will be”[1].
These remarks, when considered against the backdrop of several recent high-profile breaches, represent the beginning of a new era in data protection – one which is poised to undergo a fundamental shift in Canada in the coming months.
Cyber-attacks are neither industry nor sector specific. As we’ve seen with just a small sampling of recent victims: the Canadian Revenue Agency, Casino Rama, PC Financial, and Yahoo[2], data breaches can have far-reaching financial and reputational implications for any business or organization.
While the potential loss of reputation, consumer confidence and the inevitable legal ramifications may cause some executives to consider withholding details of breaches, upcoming changes to Canada’s privacy legislation will require companies to become more transparent about cyber-attacks and how they protect the personal information of Canadians.
Canada’s Digital Privacy Act
The passing of the Digital Privacy Act ushered in a number of significant amendments to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act. The amendments now align Canada more closely with other data protection regimes globally.
It, along with other cybersecurity measures introduced by the federal government, is intended to protect consumers, strengthen the security posture of Canadian organizations, and enable Canada to effectively deal with “21st century privacy problems”[3]. Compliance with the Act requires any Canadian organization that uses, processes, or stores personal information to examine their cybersecurity strategies, roadmaps, policies and procedures to ensure they have implemented appropriate safeguards.
The Act will require businesses and organizations to:
- notify the Privacy Commissioner of any breach if said breach could create a “real risk of significant harm”[4];
- notify individuals (and other organizations in certain circumstances) if their personal information has been lost/stolen/compromised;
- send notifications as soon as is practical, with their contents needing to be easily understood and allow for recipients to take necessary steps to minimize harm; and
- maintain records of all breaches and be able to provide said records to the Privacy Commissioner upon request.
These new requirements will have significant ramifications for your business and require your immediate attention.
What does it mean for your business?
With the potential for fines of up to $100,000 for non-compliance and the additional powers afforded to the Privacy Commissioner[5], the Digital Privacy Act and the risks surrounding cybersecurity have catapulted data protection to the top of the agenda for many executives and boards. Organizations need to understand their responsibilities and prepare accordingly.
How can you prepare?
With Canada’s future data protection framework taking shape, Canadian businesses need to start identifying and implementing necessary changes within their organizations.
1-Engage your organization’s security and privacy leaders
These individuals will be critical in helping your organization establish its overall compliance strategy, accountability framework, and in identifying any security/privacy gaps within your existing processes. In addition, these individuals will likely head your incident response team and execute several key activities (such as containment and notification) during a data breach. If your organization doesn’t have such individuals already, find a trusted advisor with these capabilities. Early discussions can help ensure you are on the right path.
2-Identify and classify sensitive data
Understanding your data is a crucial first step in protecting it. Only after identifying and classifying such information can your organization assess the applicability of the Act (i.e. do you handle personally identifiable information?), determine the data protection requirements for the data you have, and develop the appropriate response plan should that information ever be compromised.
3-Review Incident Response policies, processes and procedures
Your organization should review its existing incident response policy and procedures to ensure it has clearly defined role/responsibilities, processes/procedures, notification plans/mechanisms, and response protocols. In addition, an annual test of your plan can assess the effectiveness and appropriateness of your processes. Implementing an effective security/privacy breach response plan allows your organization to comply with its (new) legal requirements, while simultaneously reducing overall risk (both during and following a breach). We also recommend engaging an experienced advisor in this process to help ensure objectiveness, as well.
4-Perform Privacy Impact Assessments and Information Security Gap Analyses
Privacy Impact Assessments (PIAs) can help your organization understand a) what personal information it has; b) why it is being collected; and c) how the information will be collected, processed, and stored. Conducting a PIA helps minimize any privacy risks that may arise in the day-to-day operations of your business.
Information Security Gap Analyses provide a comparison of your current security program/controls against industry best security practices. An information security gap analysis can identify threats/vulnerabilities to your organization, define a risk-based approach for allocating funds and resources, and demonstrate that all commercially reasonable efforts have been taken to safeguard the personal information under your control.
5-Manage incident response partners proactively
Given the need to respond effectively, efficiently, and expeditiously to a breach, it is advisable to proactively establish partnerships with organizations that may assist you in containing, remediating and recovering from an incident (legal counsel, public relations firms, cybersecurity experts, insurance companies, credit bureaus, etc.). The onset of an incident is not the time to be negotiating agreements with external agencies.
6-Evaluate service providers
Your organization should review its existing service providers. As “a firm’s level of cybersecurity is only as good as the cybersecurity of its vendors”[6], it is imperative that you determine whether any of them present an unacceptable level of risk due to a lack of necessary information security controls, policies, and/or procedures. It is also advisable to review your procurement procedures to incorporate cybersecurity/privacy requirements into your selection process and all future service contracts.
7-Implement a security/privacy awareness training program
Schedule educational seminars and provide team members with appropriate reference documents and training materials. Employees have a critical role to play when it comes to safeguarding your business and your data. Not only should they have the proper training on how to collect, process, and store information to prevent data breaches, but they should also know how to identify and report potential breaches. They are your first line of defense.
8-Consider Security Information and Event Management solutions
Security Information and Event Management (SIEM) solutions are designed tosupport threat detection and incident response through the real-time collection and analysis of security events, while also supporting compliance reporting. Asthe Act now requires organizations to maintain records of all breaches, it would be wise for organizations to look to in-house technological solutions or outsourced managed services to assist with their detection and compliance efforts.
How can Richter help?
At Richter, we have a team of professionals that possess the right expertise to meet your organization’s needs. We will assign individuals who will be dedicated to delivering solutions that align with your high quality expectations. Our professionals hold relevant professional designations, which could include:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified Information Privacy Professional (CIPP)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Systems Auditor (CISA)
- Chartered Professional Accountant (CPA, CMA)
- Certified Internal Auditor (CIA)
[1] Quote. Mueller, Robert S., former Director, Federal Bureau of Investigation. https://archives.fbi.gov/archives/news/speeches/combating-threats-in-the-cyber-world-outsmarting-terrorists-hackers-and-spies
[2] http://www.reuters.com/article/us-yahoo-m-a-verizon-idUSKBN15U21R
[3] https://www.priv.gc.ca/en/opc-news/news-and-announcements/2016/nr-c_160927/
[4] http://laws-lois.justice.gc.ca/eng/annualstatutes/2015_32/page-1.html
[5] http://laws-lois.justice.gc.ca/eng/annualstatutes/2015_32/page-1.html
[6] http://www.reuters.com/article/us-regulator-cybersecurity-lawsky-idUSKCN0IB03220141022