This week brings mandatory breach notification to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's privacy law for private sector organizations.
The law, which took effect in 2001, sets out rules that organizations must follow when collecting, using or disclosing personal information as part of their commercial activities.
The Office of the Privacy Commissioner (OPC) enforces PIPEDA by overseeing whether organizations are complying with its requirements. A caveat: The federal government may exempt from PIPEDA organizations and/or activities in provinces, such as Quebec, British Columbia and Alberta, that have adopted similar privacy legislation. (Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia have adopted similar legislation with respect to personal health information.)
PIPEDA's purpose is to facilitate growth in the digital economy by helping to ensure that Canadians have trust and confidence in how organizations handle their personal information. The law employs a principles-based approach that balances the privacy rights of individuals with the legitimate needs of businesses to use or exchange information.
Canada's Digital Privacy Act, passed in 2015, amended PIPEDA to add mandatory breach reporting obligations under PIPEDA.
The amendments impose a new set of obligations for organizations to inform individuals if their personal information has been lost, stolen or inappropriately accessed, and they are placed at risk of harm. Specifically, the law states:
- Data breaches that pose a "real risk of significant harm" will need to be reported to the privacy commissioners and affected individuals will need to be notified.
- An organization may also be required to notify other organizations if they are in a position to protect affected individuals from harm, such as banks, credit card companies or credit reporting agencies.
- Failing to notify an individual as required will be separate offenses subject to fines of up to $100,000. Meanwhile, deliberately failing to keep, or destroying, data breach records will also be an offense subject to fines of up to $100,000.
While the fines have been clearly mentioned, there is no clarity about how the breaches are counted, whether a single record breach is considered as a breach for the fine or if multiple records are included in the breach or would it be considered a series of breaches as a single occurrence and then fined accordingly. It is also unclear as what factors would the OPC consider to determine if violation has occurred.
Now, with all of this said, your goal of course is to never have to make a privacy breach notification in the first place. Data compromises deliver an enormous financial blow in terms of downtime, clean-up, lost productivity, tarnished reputation, customer attrition and more. The reality, though, is they are an almost virtual certainty, but there are clear and practical steps you can take to limit the likelihood you will fall victim or to mitigate the fallout if an incident does occur.
Here are some guidelines to be adopted.
Understand the threats you're facing.
1) Know what personal information you have, where it is and what you are doing with it
Data inventories and process maps will help ensure you know exactly what personal information you need to protect, as well as when and where you need to protect it.
2) Discover your vulnerabilities
Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don't just focus on technical vulnerabilities, though. For example, are third parties collecting personal information on your behalf without appropriate safeguards?
3) Get familiar with threats unique to your industry
Be aware of data breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from trade associations - or whatever your source of industry news - with the goal of avoiding becoming the next vulnerable target.
Think beyond the people with bad intentions.
4) Encrypt laptops and portable media
Organizations often focus on privacy breaches caused by hackers, but this ignores some key threats. Perhaps the most common type of preventable breach seen out there occurs due to loss or theft of unencrypted laptops, USB keys, and other portable media. In many of these incidents, the use of sufficiently strong encryption could have turned a headline-grabbing privacy breach into a minor issue.
5) Limit the personal information you collect, as well as what you retain
You should know not only why you are collecting each piece of personal information, but why you are keeping it. Where possible, don't collect personal information. For example, in most identity authentication cases, it is enough to view, but not record, an individual's identification. Also, if personal information is only collected for limited purposes, securely dispose of it after they have been fulfilled. Always keep in mind: You can't lose what you don't have!
6) Don't neglect personal information's end of life
You must protect personal information throughout its lifecycle, including the often overlooked end of life. Clearly define your policies and procedures about the secure destruction of personal information and make sure they are followed. Many breaches have occurred because of documents left behind in a move or thrown in the garbage. Like an action movie hero, personal information tends to survive and reappear when its destruction isn't seen through to the end.
7) Train your employees
Policies can only be effective when those responsible for implementing and abiding by them are aware of what they contain, why they exist and the consequences of neglecting them. You should have in place ongoing privacy and security training and awareness programs that go far beyond "checking-the-box" exercises. Employees who fully understand their roles and responsibilities in protecting personal information can be one of an organization's best lines of defense against breaches.
8) Limit, and monitor, access to personal information
Employee access to personal information should be limited to what they need to know, particularly when this information is sensitive. This can help ensure they don't become the cause of a breach, either accidentally or intentionally. Similarly, monitored access logs can help you identify unusual behaviors before a major incident occurs.
But don't forget about people with bad intentions, either.
9) Maintain up-to-date software and safeguards
This is Security 101. If you don't protect yourself against known vulnerabilities, you greatly increase the likelihood of a breach. Establish systematic, documented processes to ensure security-related patches are applied in a timely manner, anti-malware is up to date with the latest definitions and that software that is no longer in use is removed from your system.
10) Implement and monitor, intrusion prevention and detection systems
An organization's first goal is to prevent intrusions, and you should have systems in place to do so. However, the reality is that even with the best protections in place, your system may get breached. Measures such as intrusion detection systems, firewalls and audit logs can help you to identify and respond to privacy breaches before they escalate - assuming you're paying attention to them.
If a breach does happen, control the damage.
11) Take immediate commonsense steps to limit the breach
Immediately contain the breach, designate an appropriate individual to lead the initial investigation, determine the need to assemble a team (which could include representatives from other parts of the business) and determine who needs to be made aware of the incident internally and externally. Be careful not to destroy evidence that may be valuable in determining the cause or allow you to take appropriate corrective action.
12) Prevent the likelihood of future breaches
Once the immediate steps are taken to mitigate the risks associated with the breach, you need to investigate its cause and consider how to move forward to prevent similar incidents. The level of effort should reflect the significance of the breach and whether it was a systemic breach or an isolated instance. This plan may include the following:
- A security audit of both physical and technical security.
- A review of policies and procedures and any changes to reflect the lessons learned from the investigation.
- A review of employee training practices.
- A review of service delivery partners and suppliers.