By Robert Masse
Organizations that manage customer information — such as retailers, banks, airlines, marketers, and private businesses — may soon be at higher risk for privacy class-action lawsuits and face increased costs to manage data breaches. That’s because mandatory breach reporting is expected to come into effect in the fall of 2017.
First introduced in the Digital Privacy Act of 2015, when the Canadian government amended the existing federal private-sector privacy law (PIPEDA), mandatory breach reporting will require organizations to notify affected individuals, as well as the Office of the Privacy Commissioner of Canada, of any data breach that creates a “real risk of significant harm to the individual.” They must do so “as soon as feasible” or face fines of up to $100,000 or — worse — reputational damage, if an affected customer complains or news of the breach leaks via a security reporter, like Krebs.
“Significant harm” can include humiliation, damage to reputation or relationships, and identity theft. While businesses will be left to determine how quickly to report, report they must. They must also provide the privacy commissioner with a record of all security breaches upon request.
If organizations fail to comply, the privacy commissioner has the power to post breach notifications, raising the spectre of class-action lawsuits. Given the stakes of non-compliance, organizations both large and small are now considering the steps they must take to implement and test an appropriate breach-tracking, response, and notification program.
Hope is not a strategy, so prepare today
While every organization’s needs are different, the first step toward compliance is to take stock of assets to assess what information may be at risk in a breach. The second step is to evaluate current cybersecurity capabilities to see where they stand with respect to the new requirements. While the requirements won’t change a company’s core cybersecurity needs, they will increase risk for those whose systems are not already sufficient. That should be encouragement enough to make the necessary changes now.
Small- and medium-sized businesses with strained resources should seek advice from an expert to assess their data assets and develop an appropriate security framework and breach response plan. For more mature or larger organizations, cyber liability insurance may make sense when overall breach-response costs are considered. As the availability of actuarial data related to cyber breaches grows, such insurance becomes increasingly feasible. Already, roughly one-third of US companies have some form of cyber insurance coverage. Canadian insurers are also offering several policies, such as coverage for network extortion and a data breach fund to cover expenses to retain a computer forensics firm in the wake of a breach.
That said, insurance alone is not enough. Businesses of all sizes should also take preventative measures before mandatory reporting comes into effect. These include:
- Gaining an understanding of their online profile and which groups might target them through social media or other digital channels
- Using technology to uncover potential risks, which could include: threat intelligence, multi-layered endpoint security, network security, and reputation-based monitoring tools
- Retaining a third-party firm for crisis management/incident response
- Running practice drills to ensure the organization has the skills necessary to respond effectively
- Implementing and maintaining both tracking and reporting mechanisms to document all attacks in order to comply with the strict new record-keeping requirements
- A coordinated response strategy
As the cyber threat landscape evolves, so too must an organization’s breach-response strategy. To effectively mitigate today’s complex cyber risks, organizations need a proactive approach that is seamlessly orchestrated and executed — one that transforms a multifaceted process into one cohesive response.
To build this type of “one-response” strategy, organizations must coordinate the responses of their various teams, including legal, privacy, insurance, cybersecurity, and forensics. Working cohesively, these teams should be able to address the full spectrum of cyber risks their organization may face, including cyber incident management, evidence preservation, and breach response.
With a proactive and coordinated approach, organizations can take mandatory breach reporting in stride instead of on the chin.
Robert Masse is a national partner in the Risk Advisory practice of Deloitte Canada. With over 20 years of experience in cybersecurity, he’s built a reputation as a pragmatic security executive. He helps clients develop security programs like incident response, cyber intelligence and information security management. A thought leader in his industry, Robert has extensive experience in strategic and operational security domains with a focus on incident response and advanced threat actors.