Many business owners don’t realize that new laws are in place surrounding data breaches. On November 1st 2018, these new laws went into effect for all Canadian business owners. These laws will affect thousands of businesses now so it’s important for all business owners to be aware of the changes and be prepared to comply. If these laws are not followed, businesses could be fined up to $100,000.
Breaches Must Be Reported to the Government
If you collect customer data such as banking information, legal or health info or such things as SIN’s, and your data base is breached, you must report this to the government. The new law outlines reportable breaches as those that create “a real risk of significant harm to individuals”.
How Will These Changes Impact My Company?
You must report a breach like this to the Office of the Privacy Commissioner of Canada, along with the individuals who were affected. All those whose private legal, health or financial information was lost must be informed. They need to know exactly what information was lost, how many records were impacted and what caused the breach.
Companies must also show that they have taken the appropriate measures to prevent future breaches. If the prescribed steps are not followed properly, the company can be heavily fined. In many cases, data braches also damage the company’s reputation and affect consumer trust.
What Are The Specific Laws Changing?
This new law governing data breaches is not a stand-alone law. It’s an amendment to PIPEDA, the Canadian Personal Information and Electronic Documents Act. For a summary of Canada’s privacy laws, please visit here. The specific laws related to digital information can be found here. It’s important to understand and comply with both.
Many experts have pointed out that the wording in PIPEDA does leave room for interpretation. It covers situations where “…it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” This wording is somewhat vague and may be interpreted in various ways by the Canadian courts.
Steps to Follow If There’s A Breach
Below, is a brief outline of the steps to follow if you experience a breach:
- The nature of the breach and what specific data was stolen
- What your organization has done to reduce risk and harm
- How those affected can protect themselves and reduce their risk
- Information about the organization’s contact information
- The procedure for filing complaints
How Did the Breach Occur?
Once the source of the breach has been identified, the vulnerabilities must be repaired. Some breaches occur due to employee carelessness. Perhaps an employee clicked on a link in a phishing email. With so many workers now using their own devices, this opens the door to breaches if a device is lost or stolen. The way to handle this issue is with a Remote Management and Monitoring (RMM) program. This can be set up and handled by Rafiki Technologies. This offers multiple benefits including:
- Compliance to regulations
- Remote wipe if a device is lost or stolen
- Find my device technology
- Application management such as updates and patches
Rafiki can monitor and manage all your technology on a 24/7 basis. With Managed IT Services you can prevent downtime and keep your technology running smoothly. We can notify you of areas where we believe your data base might be at risk and suggest ways to repair this vulnerability.
Other Ways to Mitigate Vulnerabilities
Having data stored and managed in the cloud is a good method of decreasing your company’s liabilities. The cloud offers many benefits including better security, scalability, plus it’s flexible and allows your workforce to be mobile.
How To Protect Your Data From Intrusion
With hackers around the world now scaling up their attacks, businesses must be thoroughly prepared. Simple firewalls and antivirus software are no longer enough. Most security experts recommend a layered approach to security. Follow these guidelines to protect your data from future data breaches:
- Policies-Create and enforce security policies for your company.
- People-Make sure your employees know what a phishing email looks like. Most workers need periodic regular training in this area so they don’t get careless.
- Technology-Make sure you have the right technologies in place to prevent a cyber-attack from occurring in the first place.
In Conclusion
Canadians want to know how their personal information is being used. And they have a right to know what information is being collected and how it’s being used. In the future, these laws will most likely get even more strict for several reasons. Data breaches cost companies around the world billions of dollars each year. Cyber thieves are becoming more and more clever. They have fine-tuned their approach and figured out how to get people to open phishing emails. They can mimic the look of major companies like Spotify, Paypal, Apple and Microsoft. Ransomware scams have been highly successful and hackers are often able to earn thousands of dollars per day by taking over a company’s database and then threatening to destroy all the information unless a ransom is paid.
What Can You Do?
There are numerous ways to protect your data from a breach. Rafiki Technologies can help your assess your current security protocols and create stronger measures. We can also advise you on how to proceed if a data breach has already occurred. It’s important to determine exactly what happened and notify those affected along with Canadian authorities as quickly as possible. By waiting, you risk hefty fines and your company’s reputation could be ruined.
Things like Proactive Monitoring can help. We will continually scan and track the stability and security of your IT system for maximum uptime identifying any security issues. This is included as part of our Managed Services.