Mandatory Reporting of Breaches of Security Safeguards

This article was originally published in French on the Droit-Inc site. It has been translated and reproduced with permission

In an article written for droit-inc.com, MNP’s Tom Beaupre, QSA, CISSP, CISA, BS, and Corey Anne Bloom CPA, CA, CA.IFA, CFE, CFF, recently discussed new federal breach reporting rules and what the changes mean for Canadian organizations. They highlight the need to shift toward a more security-focused mindset and offer practical steps leaders can take to protect their organizations in a stricter regulatory environment with increasing cyber crime.

With security breaches on the rise, this new framework comes at just the right time.

On the heels of the European Union’s General Data Protection Regulation that took effect in May 2018, Canada is introducing the Breach of Security Safeguards Regulations, which all Canadian organizations will have to comply with as of November 1, 2018.

These new regulations under the Digital Privacy Act require that all data security breaches that could create a “real risk of significant harm” be immediately reported to the federal regulatory authorities.

With the recent news of security breaches at companies like Air Canada and BMO, the timing of these new regulations couldn’t be better.

Impact on all Canadian organizations

While the Digital Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA) apply specifically to organizations that collect, use and disclose personal information in the course of their commercial activities in Canada, the new Breach of Security Safeguards Regulations will have a broader scope. These regulations will apply across the board to all Canadian organizations, including small businesses, in keeping with the federal government’s Small Business Lens program.

Determining “significant harm”

To determine significant harm, organizations need to look at a number of factors. Aside from the risk of identity theft, they also need to weigh the sensitive nature of the data and how it could be misused.

Could the information be used to humiliate someone? Could it damage their reputation or relationships? Could it lead to financial loss, property loss or loss of employment, business or professional opportunities?

Reporting responsibilities

If an organization suffers a security breach that could create a “real risk of significant harm”, it is required to:

1. Determine whether the breach creates a “real risk of significant harm” (and to what extent).
2. Notify all affected clients to explain the security breach and the circumstances surrounding it.
3. Notify the Privacy Commissioner of Canada of the circumstances and cause (if known) of the security breach.
4. Keep a record of the security breach for at least 24 months.
5. Comply with the Digital Privacy Act regulations and keep compliance certification documents on hand.

Beyond understanding the risks

Despite the strong recommendation that all organizations subject to PIPEDA have an action plan in place for protecting personal information, businesses are still somewhat in denial about the real risk of cyber attacks.

Presumably this new framework will prompt some deeper analysis as its success will depend on the willingness and ability of organizations to realign their management, resources, internal processes and technologies.

That’s where lawyers, IT security and investigation specialists (forensic accountants) and cyber security professionals will be valuable allies in helping to classify and identify sensitive data, preserve or recover that data, set priorities and put protection programs in place.

Ultimately, requiring Canadian businesses to comply with these new regulations should also lead to better practices for protecting personal information and, generally speaking, stronger cyber security as businesses try to stay one step ahead of cyber fraud.

Tom Beaupre QSA, CISSP, CISA, BS, is a Partner and Quebec Cyber Security Leader with MNP. He can be reached at 514.861.9724 or email [email protected].

Corey Bloom CPA, CA, CA.IFA, CFE, CFF, is a Partner and Eastern Canada Leader with MNP’s Forensics and Disputes Practice. She can be reached at 514.861.9724 or email [email protected].