Five strategies business should use for new data breach law
Canadian business was thrown into a tailspin over a special compliance requirement for data breaches added to the Personal Information Protection and Electronic Documents Act — better known as PIPEDA.
This new PIPEDA law would force organizations to report security breaches that involve personal data that pose “significant harm” to individuals.
The “significant harm” portion was kept somewhat open to interpretation, but what’s clear is organizations must keep records for two years and share them with the privacy commissioner (at this link: https://www.priv.gc.ca/en/). There are stiff penalties, of as much as $100,000, for non-compliance.
Security expert Brenda McPhail of the Canadian Civil Liberties Association (CCLA) says the new law is a positive step forward because of the major breaches that have already occurred. Companies and organizations are holding on to big quantities of data, making them attractive targets for hackers.
“This is a long time coming. It was in the Digital Privacy Act in 2015, so there should be no excuses,” says McPhail, director of CCLA’s Privacy, Technology and Surveillance Project.
McPhail suggests companies
should do some ground work and make a plan that fits their business and systems in place today. She has created a list of must-have strategies to help them avoid data breaches and know what to do when one occurs.
1. Knowledge is power Read the law and the guidance put forth by the privacy commissioner. McPhail suggests it’s better to familiarize yourself with the requirements upfront than when a crisis hits. By having the knowledge, you can then figure out what is required of you.
2. Find the data Know what personal information is inside your organization. Find out where the data resides and
how it’s being used. If the data is stored in Canada, then it will be subject to Canadian privacy laws. If not, then it could open you up to other laws.
3. Data disposal Get rid of data you don’t need. A big question businesses should ask is whether they really need all the data they have collected. Develop a data minimization plan and dispose of data not needed. The plan should include storage and retention schedules. McPhail believes this is the best protection for data breaches. “The myth out there is if we have a lot of data and we keep it, then one day we will find a way to use it,”
she says. “Frankly, that may or may not come true, but what it does is open yourself up to risk.”
4. The Security Plan Develop a security plan that includes monitoring of the entire IT environment. There are different ways to accomplish this but the plan must include assessments, auditing and tracking to effectively monitor what happens in your IT system, including thirdparty data. McPhail strongly urges companies to work with security experts that can regularly update and test systems through penetration testing solutions. By doing this, you stay on top of the security threat. “There will
always be malevolent actors who want to get in,” she adds. “Find the problem before the bad guys do.”
Don’t forget the basics, such as patch management. The WannaCry attack proved that updating the security posture through free patches is essential. 5. Security training and culture Develop a plan to mitigate human error. “When IT systems or portable devices and humans collide, there will be risk,” McPhail says. Security breaches do not happen solely because of flaws in the computer system; they often happen because people make mistakes. Security training and policies are
imperative. “Security can add extra steps to processes, so people need to understand why it matters that they take those steps,” McPhail says. “Training needs to be ongoing to create a culture where privacy and security are priorities, not add-ons.” Bonus Strategy: The
Response Plan Make a data breach response plan. Figure out what your organization will do when a security breach happens. Make sure to include compliance along with the criteria you will use to determine the level of “significant harm.” Explains McPhail: “In the heat of the moment, you will feel a need to minimize the harm to your business, but what you should keep in mind is that it’s not just the number of people that makes the breach harmful, but what information is involved.”
A solid plan in place that focuses on compliance will help you know exactly what do in a crisis. Also, remember that you must keep records of all breaches, even if they do not reach the reporting threshold. You may want to show the plan to the privacy commissioner’s office or a privacy professional. They are there to help you. And by showing them your plan and getting the blessing of the privacy commissioner, you will ensure you have the right measures in place when a crisis hits.