Data security more important than ever before
Smaller businesses also need to tighten up, says Ari Indyk.
Last October, the federal government introduced several key amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), which forms the basis for Canada’s data privacy regulations.
Following the amendments — which require Canadian organizations to keep a comprehensive record of data breaches, report breaches to the privacy commissioner, and notify affected stakeholders when there is a real risk of significant harm — many across the industry braced for a dramatic increase in the number of reported cyber incidents.
That prediction has borne out. Between November 2018 and June 2019 alone, 446 data breaches have been reported to the Office of the Privacy Commissioner of Canada, nearly six times the number of breaches reported during the same time period under the previous regulatory regime. But these numbers tell only part of the story. One year after the PIPEDA amendments, there are several other key takeaways for businesses handling consumer data, especially around the central role of communications in helping manage risk in this space.
First, cybersecurity is not just an issue for major, multinational corporations.
While large-scale breaches may make the news, smaller businesses are far more frequently and severely affected. According to the Canadian Internet Registration Authority, roughly 70 per cent of data breaches in 2018 affected companies with fewer than 100 employees. These are organizations that often do not have the resources to effectively prevent and respond to cyber incidents.
To manage these risks, companies should have a cyber-incident response plan capable of guiding communications with key stakeholders, which will be crucial for reducing their fiscal, legal, and reputational exposure.
Businesses should also carry cyber insurance to mitigate a potentially significant economic blow, as data breaches cost Canadian organizations an average of $5.9 million, according to a 2018 study by IBM and the Ponemon Institute. When responding to an incident, cyber insurance also facilitates immediate access to the necessary expertise — legal, IT forensics, and public relations — that will help reduce potential business damages.
Second, we have entered an area of breach saturation.
Data breaches that involve high-profile brands, a significant volume of records, or sensitive information will still make headlines and garner public attention. Breaches that affect lesser-known companies, smaller volumes of data, or only basic information are not drawing the same level of external interest, but they still present serious reputational risk with potential effects on key stakeholders, including customers, employees, and business partners.
Consider, for example, a situation in which a successful ransomware attack disrupts a company’s ability to conduct essential operations, like communicating with clients, fulfilling customer orders, or paying employees.
In these scenarios, companies should be prepared to engage with a broad range of stakeholders or risk being perceived as unaccountable, incompetent, or apathetic.
Last, data privacy considerations are becoming increasingly important.
More businesses are embracing a data-driven approach, with 90 per cent of the world’s data created within the last two years alone. Simultaneously, rapidly growing technologies, like the Internet of Things, are raising important questions and concerns about data privacy and privacy.
In an economy where consumers readily trade personal information for services and products, compromised data is starting to be viewed as a potential cost of doing business. But consumers are far less trusting of companies perceived to be misusing or abusing consumer data. They are also demanding greater clarity into how and why their data is being collected, stored, shared, and utilized. Companies should be having proactive, transparent, and accessible conversations with their stakeholders around their approach to data privacy.
These issues are not going away. If anything, they are only becoming more prevalent and complex. One year after the changes to PIPEDA, it is clear the data security and privacy landscape is still evolving. The challenges facing businesses are changing, too, and companies should understand how communications is playing an increasingly important role in managing those risks.