The Digital Privacy Act
Most people and organizations aren’t yet aware of the Digital Privacy Act, but here in Canada it will be coming into effect later in 2017. With this amendment to the Personal Information Protection and Electronic Documents Act, the Federal Government will change how companies must handle their electronic information, as well as any potential data breaches.
To summarize, Canadian businesses or organizations, ranging from ‘mom and pop shops’ to large corporations, will soon be legally obligated to report any network breaches that might compromise personal records. These cases could include a lost or stolen laptop or phone, or malware which might have compromised individual computers or networks.
Failure to comply with the new rules and regulations could cost a company up to $100,000 in fines. In other words, your business better be prepared to handle this change, or face serious penalties.
Organizations will need to keep a record of all breaches going forward, no matter how insignificant the incidents may seem. Breaches that will need to be reported to the Office of the Privacy Commissioner are those that might cause bodily harm; humiliation; damage to reputation or relationships; loss of employment, business or professional opportunities; financial loss and identity theft. In other words, most any breach can qualify for the above stipulations, so organizations should be ready to formally report most instances.
The challenge, of course, comes from the fact that cyberattacks are often quite sophisticated and a company might not even know it has been breached. If you don’t have the proper tools to detect such incidents, you are facing an uphill battle. Organizations are going to need to know as soon as possible what is happening on their network and quickly assess the damage – you must avoid any situation where your company’s infrastructure has been compromised without your awareness and an outside contact later informs they have been hacked due to your negligence.
Companies will have to ensure an investment into proper tools is made in advance, so that they are deployed and tested before the Act comes into effect. Policies for disclosure and employee training will have to be in place – everyone must know what abnormalities or inconsistencies to look for, and what to do if they notice them. The days of hiding cyberattacks are coming to an end, and not complying with the new law will only make the damage even more severe.