Is Your Organization Ready for Mandatory Data Breach Notifications?

Overview

On June 18, 2015, the Digital Privacy Act (DPA) received royal assent and became law. Among other things, the DPA amended the Personal Information Protection and Electronic Documents Act (PIPEDA) by revising consent requirements, introducing mandatory breach notification and record-keeping requirements, and adding significant fines for non-compliance.

While many of the measures introduced by the DPA have been in force since the bill was first enacted, the government held off on imposing mandatory breach reporting until the proper regulations were implemented.

Such regulations could be in place as early as fall 2017, and organizations will want to ensure that they know what is expected of them in order to remain compliant and avoid costly fines as high as $100,000.

Mandatory Data Breach Notifications

The DPA imposes reporting requirements for every organization in Canada that suffers a data breach, particularly if that data breach creates a real risk of significant harm to the personal information of one or more individuals. While the full extent of the reporting requirements will not be known until the corresponding regulations are published, the DPA defines significant harm broadly to include the following:

  • Bodily harm
  • Humiliation
  • Damage to reputations or relationships
  • Loss of employment, business or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on credit records
  • Damage to or loss of property

Most often, the existence of “a real risk of significant harm” will be based on the sensitivity of the personal information involved in the breach, the probability that the personal information will be misused and additional factors that may be prescribed by the forthcoming regulations.

If a breach causing significant harm to one or more individuals occurs, the affected organization must do the following, as soon as feasible:

  • Report the incident to the Office of the Privacy Commissioner of Canada (Privacy Commissioner).
  • Notify affected individuals of the breach and provide them with information on how they may minimize the harm caused by the breach.
  • Inform other organizations and government entities of the breach, especially if they believe that doing so could reduce risks or mitigate harm.

Notices must contain enough information to help affected individuals fully understand the extent of harm caused by the breach. Additionally, notices must be conspicuous and provided directly to affected individuals. However, in limited circumstances, indirect notices may be permitted. Once again, more detail will be available to organizations once the forthcoming regulations are published.

Record-keeping Requirements

Another key change under the DPA will be the requirement that organizations keep records of all security breaches involving personal information. While it is still unclear the level of detail these records will need to contain, it is clear that the Privacy Commissioner will have the right to request and review these records at any time.

Penalties for Non-compliance

Under the DPA, fines up to $100,000 may be imposed against organizations that knowingly violate the mandatory breach notification requirements or breach record-keeping requirements. Until the regulations are finalized, it will remain unclear if a violation will include a single incident (for example, a single failure to notify all individuals impacted by a breach) or each incident (for example, each failure to notify each individual impacted by a breach). However, it is clear that the Privacy Commissioner now has the ability to impose significant fines for non-compliance.

What Does this Mean for Organizations?

Mandatory data breach notifications could impact any organization that is at risk of a cyber attack. Given the reach of the DPA and upcoming regulations, all organizations should consider doing the following:

  • Review and update existing protocols and policies to account for detecting, responding and reporting data breach incidents internally.
  • Assess the types of information—personal information, intellectual property, supplier data, etc.—they hold and how they would respond in the event of a breach.
  • Create a data breach incident response plan if one does not already exist. Such a plan should include methods for notifying the Privacy Commissioner and any impacted individuals.
  • Ensure that they have sufficient insurance in place and have taken the steps to mitigate any litigation exposures. Such steps often include requiring employee training, performing security audits and identifying cyber security vendors.

Organizations should review the DPA to ensure they are compliant with all aspects of the legislation.

© Zywave, Inc. All rights reserved

Canada Second Most Expensive Country for Data Breaches

Source: Canadian Underwriter

Canada was the second most expensive country for data breaches, costing an average of $255 per lost or stolen record in 2017, according to a new report sponsored by IBM Security and conducted by the Ponemon Institute.

Released earlier in June, the 2017 Cost of Data Breach Study: Canada report found that Canada was also the second most expensive country of those surveyed for malicious/criminal breaches at $156 per record. The Canadian research report examined the costs incurred by 27 Canadian companies from 12 different industry sectors following the loss or theft of protected personal data and the notification of breach victims as required by various laws.

In Canada, the average total cost of data breaches decreased from $6.03 million in 2016 to $5.78 million in the current year, although the lowest average total cost was $5.32 million in 2015, IBM said in a statement. Over the past year, the average total cost of data breach decreased by 4%, but the average breach size or number of records increased by 3%, the report noted. The number of breached records per incident this year ranged from 4,300 to 69,844, with an average of 21,750 records breached.

The report found that organizations that can contain a breach in less than 30 days save $1.79 million ($4.88 million compared to $6.67 million). However, on average, Canadian organizations took 173 days to identify a breach and 60 days to contain one. This year, the cost of notification in Canada also decreased from $180,000 per company on average in 2016 to $160,000. These costs include IT activities associated with the creation of contract databases, determination of all regulatory requirements, engagement of outside experts, postal expenditures and inbound communication set-up.

IBM noted in the statement that certain industries have higher data breach costs: services ($398 per capita cost), financial services ($356) and technology ($340) companies had a per capita data breach cost above the mean of $255 ($278 in 2016). Public sector ($105), hospitality ($172) and transportation ($175) companies had a per capita cost well below the overall mean value. Investments in incident response teams and plans, extensive use of encryption, employee training programs, board-level involvement or participation in threat sharing were shown to reduce the per capita and total cost of data breach, the statement added.

Of the $255 average per compromised record, $147 pertained to indirect costs, including abnormal turnover or churn of customers, and $108 was related to direct costs incurred to resolve the data breach, such as investments in technologies or legal fees.

From a global perspective, this is the first year the global total cost of a breach has declined in the history of the study, which began in the United States 12 years ago. The 2017 Cost of Data Breach Study: Global Overview said that the global average cost per lost or stolen record was US$141 (from $158 in 2016), with the number one factor to reducing the cost reported as having an incident response team in place (lowering the cost by US$19 per lost or stolen record).

The cost of a data breach also dropped 10% globally in the 2017 study to US$3.62 million from US$4 million. Since debuting in the U.S., the study has expanded to the following countries and regions: the United Kingdom; Germany; Australia; France; Brazil; Japan; Italy; India; Canada; South Africa; the Middle East (including the United Arab Emirates and Saudi Arabia); and the ASEAN region (including Singapore, Indonesia, the Philippines and Malaysia).

Another press release from IBM said that the company identified a close correlation between the response to regulatory requirements in Europe and the overall cost of a data breach. European countries saw a 26% decrease in the total cost of a data breach over last year’s study, the release said, noting that businesses in Europe operate in a more “centralized regulatory environment,” while businesses in the U.S. have unique requirements (48 of 50 states have their own data breach laws).

In the U.S., “compliance failures” and “rushing to notify” were among the top five reasons the cost of a breach rose in the U.S. As well, U.S. companies reported paying over $690,000 on average for notification costs related to a breach – more than double the amount of any other country surveyed in the report.

General global findings included the following:

  • Canada was the third most expensive country for data breaches, costing organizations an average of US$4.31 million;
  • The cost of a data breach in the U.S. was US$7.35 million, a 5% increase compared to last year;
  • Organizations in the Middle East, Japan, South Africa and India all experienced increased costs in 2017 compared to the four-year average costs;
  • Germany, France, Italy and the U.K. experienced significant decreases compared to the four-year average costs. Australia, Canada and Brazil also experienced decreased costs compared to the four-year average cost of a data breach;
  • In the Middle East, organizations saw the second highest average cost of a data breach at US$4.94 million, a more than 10% increase over the previous year;
  • In Brazil data breaches were the least expensive overall, costing companies only US$1.52 million;
  • For the seventh year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organizations US$380 per record, more than 2.5 times the global average across industries (US$141 per record);
  • The involvement of third parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost US$17 per record; and
  • Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in US$19 reduction in cost per lost or stolen record, followed by extensive use of encryption (US$16 reduction per record) and employee training (US$12.50 reduction per record).