Ransomware Insurance

With ransomware attacks on the rise, the role of insurance is becoming more robust. And, although ransomware coverage has been traditionally sublimited within cyber policies, stand-alone cyber policies that cover ransomware are becoming more necessary.

In an attempt to find additional coverage for ransomware, many businesses and carriers have turned to kidnap and ransom (K&R) policies. K&R policies have traditionally been used by organizations to protect their executives, not to protect against ransomware. Because K&R policies were not designed for ransomware, they may only provide a quick fix. K&R policies tend to be less suitable for ransomware than cyber policies and payouts tend to be lower.

Policy Definitions, Terms and Conditions

Since cyber insurance isn’t standardized, organizations should review all policy language with a broker before choosing a plan. Policies can vary significantly in their language and coverage options, so insurance experts recommend policies that—at the very least—provide coverage for extortion demands and payments as well as lost income resulting from an attack.

Organizations should also take a close look at the following definitions, terms and conditions when choosing a policy:

  • Sublimits and deductibles—Most policies set a sublimit for covering ransomware. It is important to review this limit carefully, considering that demands may start on the low side, but can increase quickly. Additionally, since making a ransom payment may make organizations a target for subsequent ransom demands within the policy year, the deductible amount should reflect that risk.
  • Payment terms—Most policies require prior written consent before the insured can pay any ransom. This can result in payment delays and increased demands by the hackers. If an organization pays a ransom in order to resume business, without prior written consent by the insurer, there’s a chance that it may not be reimbursed. Therefore, organizations need to be comfortable with a policy’s terms in order to avoid compromising coverage.
  • Definition of extortion—It is important for organizations to fully understand and agree with their insurance company’s definition of extortion, since the definition dictates the trigger for coverage. For example, although hackers may intend to sell or misuse information, the ransom demand may only involve a countdown timer and demand for money. While the combination of the two may seem like an obvious threat to the insured, a carrier could possibly deny coverage on the basis that there was no explicit threat to sell or misuse information—all because of its unique definition of extortion.

What to Look for in a Policy

Companies should look for ransomware coverage that uses broad terminology and protects against a wide range of threats, including threats to do the following:

  • Access, sell, disclose or misuse data stored on your network, including digital assets.
  • Alter, damage, or destroy software or programs.
  • Introduce malicious software, including viruses and self-propagating code.
  • Impair or restrict access. Look for policies with broad terms like, “threats to disrupt business operations.”
  • Impersonate the insured in order to gather protected information from its clients, also known as pharming or phishing.
  • Use your network to transmit malware.
  • Deface or interfere with your company’s website.

The Importance of Risk Management

Ransomware insurance is most effective when coupled with an effective risk management program, as there are many components in the fight against cyber crime. Risk managers should work with an insurance broker to review all applicable options before choosing cyber coverage.

Contact your insurance broker today to learn more about available cyber policies and effective risk management techniques to protect your organization from ransomware attacks.

© Zywave, Inc. All rights reserved

Privacy and Cyber Security

With the enormous amount of sensitive information stored digitally, companies need to take appropriate measures to ensure this data is not compromised. Ultimately, it is the responsibility of business owners to protect their clients’ data. Understanding the risks involved with data security can help you prevent a privacy breach.

Know the Risks

The first step in protecting your business is to recognize types of risk:

  • Hackers, attackers and intruders. These terms are applied to people who seek to exploit weaknesses in software and computer systems for their personal gain. Their intentions are usually malicious and their actions are typically in violation of the intended use of the systems that they are exploiting. The results of this cyber risk can range from minimal mischief (creating a virus with no negative impact) to damaging activity (stealing or altering a client’s information).
  • Malicious code. This is the term used to describe code in any part of a software system or script that is intended to cause undesired effects, security breaches or damage to a system.
    • Viruses: This type of code requires that you actually do something before it infects your system, such as open an email attachment or go to a particular Web page.
    • Worms: This type of code propagates systems without user interventions. They typically start by exploiting a software flaw. Then, once the victim’s computer is infected, the worm will attempt to find and infect other computers.
    • Trojan horses: Trojans hide in otherwise harmless programs on a computer, and much like the Greek story, release themselves to cause damage. A popular type of Trojan is a program that claims to speed up your computer system but actually sends confidential information to a remote intruder.

IT Risk Management Practices

To reduce your cyber risks, it is wise to develop an IT Risk Management Plan at your organization. Risk management solutions use industry standards and best practices to assess hazards from unauthorized access, use, disclosure, disruption, modification or destruction of your organization’s information systems. Consider the following when implementing risk management strategies at your organization:

  • Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. This plan should include a characterization of all systems used at the organization based on their function, their importance to the organization and the data stored and processed.
  • Review the cyber risk plan on an annual basis and update it whenever there are significant changes to your information systems, the facilities where systems are stored changes or other conditions occur that may affect the impact of risk to the organization.

Due Diligence When Selecting an ISP

Your organization should take precautionary measures when selecting an internet service provider (ISP) to use for company business. An ISP provides its customers with Internet access and other Web services. In addition, the company usually maintains Web servers, and most ISPs offer Web hosting capabilities. With this luxury, many companies perform backups of emails and files, and may implement firewalls to block some incoming traffic.

To select an ISP that will reduce your cyber risks, consider the following:

  • Security – Is the ISP concerned with security? Does it use encryption and SSL to protect any information that you submit?
  • Privacy – Does the ISP have a published privacy policy? Are you comfortable with who has access to your information, and how it is handled and used?
  • Services – Does your ISP offer the services that you want and do they meet your organization’s needs? Is there adequate support for the services provided?
  • Cost – Are the ISP’s costs affordable and are they reasonable for the number of services that you receive? Are you sacrificing quality and security to get a lower price?
  • Reliability – Are the services provided by the ISP reliable, or are they frequently unavailable due to maintenance, security problems and a high volume of users? If the ISP knows that their services will be unavailable, does it adequately communicate that information to its customers?
  • User supports – Are there any published methods for contacting customer service? Do you receive prompt and friendly service? Do their hours of availability accommodate your company’s needs?
  • Speed – How fast is your ISP’s connection, and is it sufficient for accessing your email or navigating the Web?
  • Recommendations – What have you heard from industry peers about the ISP? Were they trusted sources? Does the ISP serve your geographic area?

Protection is our Business

Contact your broker today to ensure you have the proper coverage to protect your company against a data breach.

© Zywave, Inc. All rights reserved

5 Steps to Website Security

Website security is more important than ever. Cyber criminals are constantly looking for improperly secured websites to attack; therefore, it is essential to secure servers and the network infrastructure that supports them. The consequences of a security breach may include loss of revenue, damage to credibility, legal liability and loss of customer trust.

Web servers, which host the data and other content available to your customers on the Internet, are often the most targeted and attacked components of a company’s network. By securing your Web server, you protect customers and prospects that use your company website. The following are examples of specific security threats to Web servers:

  • Cyber criminals may exploit software bugs in the Web server, underlying operating system or active content to gain unauthorized access to the Web server.
  • Denial-of-service attacks may be directed at the Web server or its supporting network infrastructure to prevent or hinder your website users from making use of its services. This can include preventing the user from accessing email, websites, online accounts or other services. The most common attack is flooding a network with information, so that it can’t process the user’s request.
  • Sensitive information on the Web server may be read or modified without authorization.
  • Information on the Web server may be changed for malicious purposes.
  • Cyber criminals may gain unauthorized access to resources elsewhere in the organization’s network with a successful attack on the Web server.
  • The server may be used as a distribution point for attack tools, pornography or illegally copied software.

Take the following five steps to protect your company from the threats listed above.

Step 1: Form a plan and utilize the right people.

Because it is much more difficult to address security once deployment and implementation have occurred, security should be considered from the initial planning stage. Businesses are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. Developing such a plan will support Web server administrators in making the inevitable trade-off decisions between usability, performance and risk.

Make sure to define appropriate management security practices, such as identification of your company’s information system assets and the development, documentation and implementation of policies, as well as guidelines to help ensure the confidentiality, integrity and availability of information system resources.

Businesses also need to consider the human resources requirements for the deployment and continued operation of the Web server and supporting infrastructure. Consider the personnel you will need on your team—for example, system and Web server administrators, webmasters, network administrators and information systems security personnel. Additionally, consider the level of training (initial and ongoing) that will be required to maintain this team.

Step 2: Ensure that Web server operating systems and applications meet your organization’s security requirements.

When securing a Web server, you must first secure the underlying operating system. Most Web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying Web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions and ease of use at the expense of security. Because manufacturers are not aware of each organization’s security needs, Web server administrators must configure new servers to reflect their business’ security requirements and reconfigure them as those requirements change. Make sure to take the following steps as appropriate to your business:

  • Patch and upgrade the operating system.
  • Change all default passwords.
  • Remove or disable unnecessary services and applications.
  • Configure operating system user authentication.
  • Configure resource controls.
  • Install and configure additional security controls.
  • Perform security testing of the operating system.

Step 3: Publish only appropriate information.

Company websites are often one of the first places cyber criminals search for valuable information. Still, many businesses lack a Web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access and what information should not be published to any publicly accessible repository. Some generally accepted examples of what should not be published, or what should at least be carefully examined and reviewed before being published on a public website, include the following:

  • Classified or proprietary business information
  • Sensitive information relating to your business’ security
  • A business’ detailed physical and information security safeguards
  • Details about a business’ network and information system infrastructure—for example, address ranges, naming conventions and access numbers
  • Information that specifies or implies physical security vulnerabilities
  • Detailed plans, maps, diagrams, aerial photographs and architectural drawings of business buildings, properties or installations
  • Any sensitive information about individuals that might be subject to privacy laws

Step 4: Prevent unauthorized access or modification on your site.

It is important to ensure that the information on your website cannot be modified without authorization. Users of such information rely on its integrity. Content on publicly accessible Web servers is inherently more vulnerable than information that is inaccessible from the Internet, and this vulnerability means businesses need to protect public Web content through the appropriate configuration of Web server resource controls. Examples of resource control practices include the following:

  • Install or enable only necessary services.
  • Install Web content on a dedicated hard drive or logical partition.
  • Limit uploads to directories that are not readable by the Web server.
  • Define a single directory for all external scripts or programs executed as part of Web content.
  • Disable the use of hard or symbolic links.
  • Define a complete Web content access matrix identifying which folders and files in the Web server document directory are restricted and which are accessible, and by whom.
  • Disable directory listings.
  • Deploy user authentication to identify approved users, digital signatures and other cryptographic mechanisms as appropriate.
  • Use intrusion detection systems, intrusion prevention systems and file integrity checkers to spot intrusions and verify Web content.
  • Protect each backend server (i.e., database server or directory server) from command injection attacks.

Step 5: Continuously protect and monitor Web security.

Maintaining a secure Web server requires constant effort, resources and vigilance. Securely administering a Web server on a daily basis is essential. Maintaining the security of a Web server will usually involve the following steps:

  • Configuring, protecting and analyzing log files
  • Backing up critical information frequently
  • Maintaining a protected authoritative copy of your organization’s Web content
  • Establishing and following procedures for recovering from compromise
  • Testing and applying patches in a timely manner
  • Testing security periodically

Taking proactive measures to secure your website by carefully setting up and maintaining your Web server can save your business from experiencing crushing losses of revenue, customer loyalty and proprietary information. For more information about how to mitigate your cyber risk, contact your broker today.

© Zywave, Inc. All rights reserved

Is Data Quality the Unspoken Risk of Connected Devices?

Source: Insurance Business

Our lives are becoming more and more data-centric. Sally next door uses an average of 897 kWh of electricity per month, and about 90 gallons of water each day. She’s had one costly car accident, multiple speeding fines, and her car has been broken into twice because she parks it overnight on an unlit street.

Sally’s insurance premiums are calculated using this data. We know what utilities she uses because of her home sensor device, and her connected car is catching out her heavy-footed acceleration tendencies.

Connected devices and the Internet of Things (IoT) are proliferating fast. Experts at the leading research and advisory company Gartner suggest there could be more than 20 billion connected devices in use across the world by 2020, up from 8.4 billion connected things in 2017.

As the number of IoT devices continues to boom, so will the amount of analytical data insurers will have at their fingertips. But can we always trust this data?

“Data quality is a risk we might need to consider as the world becomes more connected,” said Jeff Wargin, vice president, product management at Duck Creek Technologies. “As we get access to more and more data, we’re bound to come across false positives and false negatives. Insurance companies need to have analytics experts and data scientists working through the data and eliminating the poor-quality false positive and false negative results.

“Until that process becomes automated and we can identify the poor data with ease, I think we all run the risk of doing things we shouldn’t be, whether that’s during the underwriting process, claims adjusting, or any purpose outside of insurance.”

Connected devices are not perfect. With the global market booming the way it is, manufacturers are under pressure to release state-of-the-art products ahead of the competition. The occasional slip-up or malfunction is to be expected.

“As the number of connected devices continues to proliferate, and the amount of data we receive increases, it’s going to get harder to spot the problem areas,” Wargin added. “There’s a risk that poor data could slip through the cracks.”

Up to 100,000 Bell Customers Impacted by Data Breach

Bell Canada, one of the nation’s largest telecommunications companies, announced Tuesday, Jan. 23 that up to 100,000 customers were affected by a data breach. The company has said that hackers likely obtained sensitive customer information, including subscriber names, phone numbers, account names and email addresses. At this time, there is no indication that credit card numbers or other banking information was compromised.

The company is advising customers to change their passwords and security questions. Affected users should also be on the lookout for suspicious activity, as cyber criminals will likely use the lost email addresses and user profiles to carry out more harmful phishing and social engineering scams.

Bell is currently working with law enforcement and the Office of the Privacy Commissioner of Canada to investigate the event. Officials are looking to determine how the breach occurred, what Bell is doing to mitigate the situation and potential follow-up actions.

This latest breach comes just eight months after 1.9 million customer emails were stolen from Bell’s database by an anonymous hacker. High-profile cyber security events are becoming commonplace, and organizations must continue to conduct security audits, review their record retention polices and provide employee training if they are to prevent future breaches. While customers can’t prevent companies from being hacked, they can take the following steps to reduce the risk of losing personal information:

  • Encrypt data whenever possible.
  • Back up data.
  • Use anti-malware protection.
  • Update phones and computers regularly.
  • Secure wireless networks.
  • Use a firewall.
  • Make passwords complex and change them often.
  • Avoid clicking suspicious links or navigating to deceptive websites.

To read the official statement from Bell regarding its most recent data breach, click here.

© Zywave, Inc. All rights reserved

Critical Cyber Exploits Affect Nearly All Computers

Cyber security researchers recently announced the discovery of two major security flaws that could allow hackers to bypass regular security measures and obtain normally inaccessible data. The flaws, referred to as Meltdown and Spectre, are both caused by design flaws found in nearly all modern processors. These vulnerabilities can be exploited to access all of the data found in personal computers, servers, cloud computing services and mobile devices.

Because Meltdown and Spectre are both caused by design flaws, experts believe that they will be harder to fix than traditional security exploits. Additionally, software patches that have already been released to help address the vulnerabilities can cause computer systems to slow down significantly, which may impact their ability to perform regular tasks.

Researchers believe that Meltdown and Spectre may be limited to processors manufactured by different companies, but also warn that the design flaws that contribute to Meltdown and Spectre have been present for years. Here are some key details about each flaw:

  • Meltdown: This flaw can be used to break down the security barriers between a device’s applications and operating system in order to access all of the device’s data. Meltdown can be used to access desktop, laptop, server and cloud computer systems, and can even be used to steal data from multiple users who share one device. Although researchers have only been able to verify that Meltdown affects processors made by Intel, other processors may also be affected. Many software developers have already released updates that prevent hackers from exploiting Meltdown.
  • Spectre: This flaw can be used to break down the security barriers between a device’s different applications and access sensitive data like passwords, photos and documents, even if those applications adhere to regular security checks. Spectre affects almost every type of computer system, including computers, servers and smartphones. Additionally, researchers have confirmed that the design flaw that enables Spectre is present in Intel, AMD and ARM processors that are used by nearly every computer and mobile device. Software developers are currently working on a patch to prevent the exploitation of Spectre, but some experts believe that future processors may have to be redesigned in order to fix the vulnerability.

When Meltdown and Spectre were originally discovered in 2017, researchers immediately reported them to major hardware and software companies so work on security fixes could begin without alerting hackers. As a result, services and applications offered by companies like Microsoft, Google, Apple and Amazon have already been updated to help defend against the flaws. However, you shouldn’t rely solely on a software patch to protect against these vulnerabilities. Here are some steps you can take to protect your computer systems and devices from Meltdown and Spectre:

  • Update all of your devices immediately, and check for new updates regularly. You should also encourage your friends, family members and co-workers to do the same.
  • Contact any cloud service providers and third-party vendors you use to ensure that they are protected against Meltdown and Spectre. Cloud services and computer servers are especially vulnerable to the exploits, as they often host multiple customers on a single device.
  • Install anti-virus and firewall systems to protect against regular malware. Researchers believe that hackers need to gain access to a device in order to exploit Meltdown or Spectre, so keeping your devices free of malware can help prevent data theft.

© Zywave, Inc. All rights reserved

Uber says over 800k Canadians affected by data breach

Uber says over 800k Canadians affected by data breachSource: Insurance Business Canada
In a statement issued this week, Uber Canada disclosed that the information of 815,000 Canadian riders and drivers may have been affected by a major data breach.The ridesharing company first announced news of the breach last November. Uber revealed that the breach occurred sometime in October 2016, and resulted in the theft of information from some 57 million Uber accounts globally.Uber Canada said the information taken by the cyber attackers includes names, email addresses, and mobile phone numbers. The company’s investigation has not identified, however, if the hackers managed to also steal users’ location histories, credit card numbers, bank account numbers, or dates of birth.

The company’s disclosure earlier this week came the same day that the federal privacy commissioner said it had opened a formal investigation into the breach, The Canadian Press reported.

Uber Canada spokesperson Jean-Christophe de le Rue said that the company will cooperate with the commissioner’s investigation.

“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter.”

In late November, a law firm representing Albertans whose information was compromised by the data breach filed a class-action lawsuit against Uber. On top of general damages, the lawsuit is seeking special damages for costs related to credit counselling, compensation for the plaintiffs’ lost time and income, as well as costs for credit monitoring and other similar services.

How to Respond to and Protect Your Business from Ransomware

The incidents of ransomware in Canada are rising at an alarming rate. In 2015, Canadians were affected by 1,600 ransomware attacks a day. By September 2016, the number of attacks nearly doubled, and those are only the known cases. Unfortunately, many incidents still go unreported. Businesses of all sizes have become targets of ransomware, as it can infect not only personal computers, but also entire networks and servers.

What is Ransomware?

Ransomware is malicious software that infects a computer and denies access to the system or data, and demands a sum of money to restore the information. Presently, the most common forms of ransomware will encrypt data.

Victims often receive an onscreen alert stating their files have been encrypted or a similar message, depending on the type of ransomware. The message on the lock screen may even claim to come from the federal government, accusing the user of violating a law and demanding a fine.

Organizations are then prompted to pay a ransom to unlock their computer systems or gain access to critical documents. Typically, the hackers behind the ransomware demand bitcoin—a type of digital currency that is difficult for police to trace.

How Ransomware Can Spread

There are different ways that ransomware can spread, including the following:

  • Visiting fake or unsafe websites
  • Opening emails or email attachments from unknown sources
  • Clicking on suspicious links in emails or on social media

How to Respond

Some operating systems provide instructions for responding to lock-screen ransomware, although results aren’t guaranteed. In contrast, encryption ransomware has no quick fix without an encryption key, which only the hackers typically have access to.

Regardless of the type of ransomware, experts recommend against paying the ransom. After all, there is no guarantee that you will regain access to your computer, network or files after you pay. Furthermore, by paying the ransom, you could be encouraging future cyber crimes.

If your business is affected by ransomware, take the following steps:

  • Do not do anything further on your computer systems. If possible, consult your IT department or an IT professional for assistance.
  • Immediately contact the Canadian Cyber Incident Response Centre (CCIRC) to report the incident. The CCIRC can assist your business to mitigate further damage.
  • Open a criminal investigation into the matter by reporting the incident to your local police force or jurisdiction, and inform the CCIRC that you have done so.
  • Report the incident to the Canadian Anti-fraud Centre.
  • Contact your insurance broker to discuss next steps from an insurance perspective.

What to Do if You’ve Already Paid the Ransom

Since business can come to a halt without access to essential data, business owners are often tempted to pay the ransom in order to quickly regain access. If you’ve paid the ransom, contact your bank and call the authorities as soon as possible. Credit card companies may be able to block the transaction and refund you if you contact them promptly.

How to Protect Your Business

Cyber extortion from ransomware is a legitimate threat to all businesses—no matter the size. The best method of prevention is to keep confidential information and important files securely backed up in a remote location that is not connected to your main network.

In addition to backing up your files, taking the following prevention measures can help keep your information secure and prevent you from becoming a victim of cyber attacks:

  • Teach your employees about ransomware and the importance of preventing it.
  • Instruct employees never to click on links or open attachments in emails sent by a party they do not know.
  • Show your employees how to detect suspicious emails and attachments. For example, tell them to watch for bad spelling or unusual symbols in email addresses.
  • Develop a protocol for reporting incidents of ransomware and other suspicious cyber activity.
  • Develop a schedule for regularly backing up sensitive business files.
  • Update your company software as soon as new updates are released. In doing so, you can patch the security vulnerabilities that cyber criminals rely on, and avoid becoming an easy target.
  • Purchase cyber liability insurance that not only helps you respond to threats, but can also help cover the cost of the ransom and any other losses incurred as a result of cyber extortion.

Don’t let ransomware—or any type of cyber exposure—threaten your business. Contact your insurance broker to ensure you have the proper coverage and the tools necessary to protect against losses from cyber attacks.

© Zywave, Inc. All rights reserved

KRACK Cyber Vulnerability Puts Wi-Fi Networks at Risk to Hackers

Recently, Mathy Vanhoef, a researcher from a Belgium university, discovered a security flaw in Wi-Fi Protected Access II (WPA2)—a protocol that secures almost all modern, protected Wi-Fi networks. Through this newfound vulnerability, hackers can potentially gain access to encrypted information using what is called a key reinstallation attack (KRACK).

Any organization or individual that utilizes Wi-Fi is at risk for an attack, and hackers can use the KRACK method to steal sensitive information like credit card numbers, passwords, chat messages, emails, photos and most data that is stored or transmitted online.

What’s particularly troubling about this cyber threat is that it’s not tied to a specific machine or software and is more so a flaw in how WPA2 was originally designed. Essentially, all a hacker needs to do to access your protected information is to be near your Wi-Fi access point and execute a script that tricks a system into bypassing the security. Not only does this allow cyber criminals to eavesdrop on network traffic, but they can also infect connected machines with malware.

While Vanhoef demoed the vulnerability using an Android operating system, it’s likely that KRACK can be used against a number of others, including Linux, Windows and macOS.

Thankfully, KRACK can be controlled with patches, and Vanhoef warned many companies of the security flaw long before publishing his findings, giving them time to develop a solution. It’s possible your network may already be fixed.

However, there are still a number of precautions businesses and individuals should take, including the following:

  • Update all laptops, smartphones, smartwatches and other devices that can be connected to Wi-Fi.
  • Be cautious about using any hardware that has not yet been patched, as any information stored or transmitted on that device could be compromised.
  • Contact your internet service provider to determine if you need to update your network.

To read the original findings on KRACK, click here.

© Zywave, Inc. All rights reserved

Federal Government Publishes Data Breach Reporting Requirements Draft

OVERVIEW

Last month the Canadian government published proposed regulations relating to the mandatory reporting of privacy breaches under Canada’s federal data protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

While the regulations put forth by the government are simply proposed rules, they do provide an indication of what will likely be included in the final regulations. The regulations are expected to be finalized in the coming months.

This Compliance Bulletin examines the relevant PIPEDA provisions, the proposed data breach regulations and the potential implications for organizations subject to PIPEDA.

BACKGROUND

In June 2015, Canada passed into law the Digital Privacy Act (DPA), a law that made a number of important changes to PIPEDA. While most of the amendments contained in the DPA came into force in 2015, the provisions of the law relating to mandatory data breach reporting and record-keeping have not yet come into force.

Once in force, the data breach provisions of PIPEDA and corresponding regulations will require organizations to report to the Office of the Privacy Commissioner of Canada (Commissioner) any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a “real risk of significant harm” to an individual. Organizations will also be required to notify any affected individuals and any other organization or government institution that may be able to mitigate the harm to affected individuals. The report and notification must occur as soon as feasible after the organization determines that a breach has occurred.

Under that law, “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. Factors organizations must consider when assessing whether a breach creates a real risk of significant harm to an individual include the sensitivity of the personal information involved and the probability that the personal information has been, is being or will be misused.

Draft Regulations

Reports to the Commissioner: Content, Form and Manner

According to the draft regulation, a report to the Commissioner must be made in writing and contain the following information:

  • A description of the circumstances of the breach and, if known, the cause;
  • The day on which, or the period during which, the breach occurred;
  • A description of the personal information that is the subject of the breach;
  • An estimate of the number of individuals in respect of whom the breach creates a real risk of significant harm;
  • A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm;
  • A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach; and
  • The name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Under the proposed regulations, data breach reports can be submitted with the best information available to the organization at the time. This allows organizations to report breaches quickly and take the appropriate actions, even when key information regarding the incident is not yet available.

Requirements for Notifying Affected Individuals of a Data Breach

Under PIPEDA, notification to an affected individual must contain sufficient information to allow the individual to understand the significance of the breach and to take steps, if possible, to reduce or mitigate the risk of harm that could result. According to the draft regulations, a notification to an affected individual, at a minimum, must contain:

  • A description of the circumstances of the breach;
  • The day or time frame the breach occurred;
  • Descriptions of the type of personal information that was compromised during the breach;
  • A description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
  • A description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
  • A toll-free number or email address impacted individuals can use to obtain further information regarding the breach; and
  • Information about the organization’s internal complaint process and about the affected individual’s right, under the PIPEDA, to file a complaint with the Commissioner.

Notifications must be given directly to impacted individuals through an email, letter (delivered to the last known home address of the affected individual), telephone call, in-person conversation or other secure form of communication if the affected individual consented to receiving information from the organization in that manner.

Indirect Notification

Under limited circumstances, organizations will be allowed to provide affected individuals with indirect notification of a data breach. According to the draft regulations, organizations will be able to provide indirect notification only if:

  • A direct notification would cause further harm to the affected individual;
  • The cost of giving a direct notification is prohibitive for the organization; or
  • The organization does not have contact information for the affected individual or the information that it has is out of date.

The draft regulations indicate that indirect notification may be given only by either a conspicuous message, posted on the organization’s website for at least 90 days, or by means of an advertisement that is likely to reach the affected individuals.

Record-keeping Requirements

Once in force, the data breach provisions of PIPEDA and the regulations will require organizations to maintain a record of every breach of security safeguards. The draft regulations state that organizations must maintain these records for a minimum of 24 months after the day on which the organization determines that the breach has occurred, and provide them to the Commissioner upon request. The record must contain sufficient information to enable the Commissioner to verify compliance with the data breach reporting and notification requirements above.

NEXT STEPS

While the regulations are not finalized and an enforcement date has not yet been announced, organizations should take the proper steps to ensure they are PIPEDA compliant. While the new reporting and record-keeping requirements appear to place an administrate burden on organizations, companies that already have cyber security protocols in place will likely experience minimal impact.

To learn more about the regulations, you can read a detailed impact analysis statement and the regulation’s text through the Canada Gazette.

© Zywave, Inc. All rights reserved