CRSP Part 8: PIPEDA Privacy Act Amendments Are Law in Canada

This is one in a series of related short essays for 2015 about the unrelenting cyber stresses every person and every organization now faces. The first essay, titled Cyber Risk, Security & Privacy (CRSP)  – Waterloo Region’s Vibrant New Business Cluster, appeared in the December, 2014 issue of The Triangle. 

“Law-abiding citizens value privacy. Terrorists require invisibility. The two are not the same, and they should not be confused.” David Frum & Richard Perle[i]

Summary

Privacy laws with penalties have been in force for some time now in 47 of 50 U.S. States. In most Canadian Provinces and Territories however, this has not been the case – until now. The long awaited amendments to The Personal Information Protection and Electronic Documents Act (PIPEDA), called the Digital Privacy Act,  received Royal assent on June 18, 2015. Bill S-4 is now law in Canada.  Although Cabinet has not yet proclaimed the Act’s breach reporting provisions in force, Canadian businesses should be preparing to comply with them. U.S. businesses with offices in Canada or business partners in Canada should also take note of this important legislation, as their interests will now have new special requirements as described below.

An Organization’s Obligations

There are now three breach reporting requirements “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” as follows:

1.         Reporting to the Privacy Commissioner;

2.         Reporting to the individual;

3.         Reporting to agencies that can reduce harm to the individual.

Significant Harm

In this context significant harm is now broadly defined and “includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.

Consequences for non-Compliance

The Commissioner’s office may disclose information about an organization’s personal information (PI) management practices to the public if it believes disclosure to be in the public interest. The Commissioner’s office can enter into compliance agreements with organizations that it believes are, or may be, subject to breaches. Anyone who knowingly contravenes these requirements is subject to a penalty of up to $10,000 on summary conviction or $100,000 on indictment.

What does this mean in the context of cyber risk management?

It is now a requirement of Canadian organizations to report cyber breaches which may cause “significant harm” as described above to report them both to the Privacy Commissioner and to the individual(s) affected. They may also be required to notify other organizations, such as law enforcement, should damage caused by the breach potentially be mitigated.

More than anything else, this development will substantially increase awareness of the extent cyber breaches involving personally identifiable information are occurring in Canada. As a result organizations of all sizes and sectors will now be more likely to take this important subject much more seriously. Not only may financial penalties be levied, considerable damage to the organization’s reputation may result as a result of public notification and disclosure.


[i] David Frum & Richard Perle, An End to Evil, Mass Market Paperback, October 2004, 71.

CRSP Part 7: Are significant cyber hacking breaches now more prevalent than most think?

This is one in a series of related short essays for 2015 about the unrelenting cyber stresses every person and every organization now faces. The first essay, titled Cyber Risk, Security & Privacy (CRSP)  – Waterloo Region’s Vibrant New Business Cluster, appeared in the December, 2014 issue of The Triangle.

“Be Prepared.” Motto of Guides and Scouts world-wide.[i]

According to a report recently published in Canadian Underwriter, “Almost 70% of businesses experienced at least one significant hacking incident in the last year.”[ii] This is based on a sample of roughly 100 business risk managers, with most of the respondents (93%) from companies of 100 employees or more. Cyber practice leader Eric Cernak for Munich Re said:

“Businesses are on high alert, but they can do a lot better. Simply reacting to new threats is not enough. Businesses of all sizes need to anticipate hacking trends and deploy the resources necessary to protect their private or sensitive information.”[iii]

This confirms the experience local CRSP cybersecurity companies such as Watsec and eSentire are seeing. This is a wakeup call for all organizations in our Region to make certain they are prepared for cyber breaches because the chances of at least one significant event occurring to them in the next 12 months is very high. And although the study cited here is predominantly larger organizations exceeding 100 employees, it is clear smaller organizations are also at risk.

In a February, 2015 article from the Globe & Mail, Jordana Divon interview Kevvie Fowler of KPMG Canada. He says:

“Based on what we’re seeing, small businesses are still focusing on the bare minimum to meet the compliance requirements to stay in business…As a result, a lot of small and medium enterprises are finding themselves in hot water, warning that Canadian business owners are just as vulnerable to hackers as anyone in the world.”[iv]

How are hackers attacking so many organizations with such success?

One example is the case of a “good-guy” hacker who performed what he called the 2012 Internet Census.[v] He created a botnet of roughly 400,000 poorly protected Linux computing devices, inserted code in these devices to scan the entire Internet address range all at once, and discovered that he could find millions of vulnerable systems around the globe in approximately 30 minutes elapsed time. Though he removed his malware after completing his “study”, he published how to do this on the Internet. Lesson learned: If you have internal systems exposed to the public Internet, they will be found, targeted, and exploited if they are not properly secured.

How are local organizations helping to address this problem?

As mentioned in the previous month’s The Triangle[vi] article, organizations such as some of those who comprise the Canadian Centre for Cyber Risk Management (C3RM) assist in addressing this problem in many ways, including user education, cyber risk loss control assessments, real-time monitoring and corporate governance reviews for effective security policies and controls.


[i] Scout Motto, Wikipedia, Scout Motto.

[ii] Nearly three-quarters of businesses experienced at least one hacking incident in the last year, Canadian Underwriter, June 3, 2015, Nearly three-quarters of businesses experienced at least one hacking incident in the last year.

[iii] Ibid.

[iv] Jordana Divon, “Cyberattacks an ongoing threat to Canadian small businesses”, Globe & Mail, February 2, 2015, Cyberattacks an ongoing threat to Canadian small businesses.

[v] “Internet Census 2012”, internetcensus2012, 2012, internet Census 2012.

[vi] CRSP Part 6:  How the Canadian Centre for Cyber Risk Management Members are Helping Organizations Address Cyber Risk, The Triangle, May, 2015, CRSP Part 6.