Feds set to regulate reporting of digital data breaches

TORONTO—The federal government is changing how companies must handle digital information and data breaches, and companies that don’t take data security seriously could soon find themselves in a world of financial pain.

Canadian companies will soon be legally required to file a report with the Office of the Privacy Commissioner (OPC) when they experience a network breach that compromises personal data. Companies will also be required to notify all those affected by the breach: employees, customers and relevant third parties.

Companies that fail to comply could face fines of up to $100,000.

This new regulation is part of the Digital Privacy Act, a bill which came into law June 2015, bringing a major overhaul to the existing Personal Information Protection and Electronic Documents Act. However, the requirement to disclose breaches was omitted from the 2015 codification, due to the lack of specifics needed to enforce it.

Now those details are close to being ironed out, and the requirement to disclose breaches is coming in late 2017.

Businesses will need to be prepared.

Breaches that require notification are, according to the Digital Privacy Act, instances that pose “real risk of significant harm to affected individuals.” This definition includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft.

Only breaches that meet the the definition need to be formally reported, but companies will be required to keep a record of every breach involving personal information—no matter how small—and provide a copy to the OPC upon request.

Reporting and recording breaches is not a simple process, however. Cybersecurity attacks are often so sophisticated that a company may not even know it has been breached.

David Masson, Canadian country manager of the cybersecurity firm Darktrace, says that if you don’t have the tools in place to detect a breach right away, “You might not find out about it until a year later, when a third party vendor says they’ve been hacked because of you.”

If your company’s current technology can’t even tell you that a breach has occurred, that is a big problem.

“You’re going to need to know what’s going on inside the network. You’re going to need to know as soon as possible that you have been breached and what the damage is,” Masson said.

To achieve this level of accuracy, companies will need a security platform that can tell them what is happening in their system at all times and present details on which files have been compromised.

Many companies will have to update their systems and invest in new technologies to meet these standards. That might seem like a costly investment, but if you don’t have the right tools, tracking down a breach and figuring out what happened can take a massive financial toll, along with drawing resources away from more important projects.

“Start taking security seriously, and making sure there’s proper policies in-place,” Masson said, adding that businesses need to ensure their employees take data security seriously, too.

A good policy for disclosure is also key. If employees don’t have a reference point for what to do when they spot an anomaly in the system, they might not bring it to anyone else’s attention. Transparency needs to be a part of company culture. If not, company’s might discover their breaches being disclosed on somebody else’s terms.

A cybersecurity attack can have disastrous consequences, but sweeping it under the rug will only make a bad situation worse.