Canadian Digital Privacy Act (Part One)

As a response to the ever-evolving cyber-security threats Canadian businesses face in daily internet interactions, the federal government has responded. Later this year, newly drafted hacking disclosure legislation will require all businesses in Canada to report any cyber security breach as soon as they become aware of it.

Until recently, it was up to a company to decide whether to go public if a data breach has occurred, allowing a vast majority of cyber intrusions to go unnoticed or under report the number of users impacted (i.e., TJX, Yahoo). While Alberta and British Colombia have had mandatory breach notification regulations since 2010 (PIPA. the Personal Information Protection Act), the rest of Canada has not had such strict reporting laws and will surely need a grace period to ensure internal policies and computer systems adjust accordingly.

Digital Privacy Act Overview

Cyber criminals are effective because of the numerous end-points available for targeting, and the large attack surface of current systems. Ultimately, the end-users who are targets have to be right 100% of the time to protect and safeguard their data. The cyber criminals only have to be right once to be effective!

The concept the Digital Privacy Act is utilizing for positive change is that transparency across all industries will help drive adoption of security technologies, improve user behavior and discover common trends throughout vertical markets.

While final details are still forthcoming, the information gathered from data breaches will report to the Office of the Privacy Commissioner of Canada (PCC). From there, the PCC will decide whether to release it publicly. At the very least, the information collected by the commissioner’s office can alert other businesses to the hackers’ tactics. The information may also alert financial institutions to minimize fraudulent charges or identity theft. The PCC may also determine that the business needs to notify individuals affected by the breach.

Companies will also need to maintain a record of all breaches involving personal information and provide a copy of those records to the privacy commissioner’s office upon request. Organizations that fail to report data breaches to the privacy commissioner’s office or keep records of prior attacks could face fines of as much as $100,000.

The legislation may seem daunting, but the PCC advises that most reports would likely be marked as an “incident”. The more serious ones that turn into complaints will be marked for investigation. For a breach deemed serious enough for investigation, there would have to be evidence that the breach is systemic in nature, or that the organization has not responded adequately.

How Current Regulations Differ From Past Policies

These regulations may sound similar to past legislation or industry specific regulations and policies:

PIPEDA, The Personal Information Protection and Electronic Documents Act

  • Federal, private-sector legislation that came into force in stages between 2001-2004.
  • Organizations are accountable for the protection of personal information collected.
  • Personal information may only be collected and disclosed with the knowledge and consent of the individual.
  • Your organization’s privacy policies must be readily available.
  • Non-Profit or Not-For-Profit’s may be exempt from complying as they may not be considered commercial activity.
  • Methods of protecting confidential information must include physical (lock cabinets, lock monitors, restrict access), organizational (limit access to data on need to know basis, security clearance) and technological measures (passwords, encryption, etc.).

However, there are some important distinctions, of which businesses should be aware:

Digital Privacy Act

  • There are now financial repercussions should a business fail to comply (penalties up to $100,000).
  • The law gives the PCC full authority to audit any organization.
  • The scope of information to disclose for the benefit of public interest will broaden.

Things to Consider

The language of the Digital Privacy Act will have to be fully defined, in order for businesses to comply. For instance, what is the definition of a data breach? Would ransomware that has encrypted business data qualify as a breach? Perhaps they are more concerned with the release of credit card numbers or the release of individuals contact information. Would the loss of an un-encrypted device qualify as a “breach of security safeguards”, as the legislation states?

While the specific requirements on how to respond and maintain records of breaches will need publishing, there are steps that businesses can take immediately to prepare. A proactive, comprehensive security plan outlined by your IT Provider will navigate the complex threat landscape and outline potential areas for improvement.

(image via flickr/BlueCoat)