Following the implementation of the Personal Information Protection and Electronic Documents Act (PIPEDA) on November 1, 2018, the number of reported data breaches in Canada has skyrocketed. One year later, Canadian businesses reported 680 breaches, six times the figure for the same period the year before. Let’s take a look at what happened and glean insights that can be helpful for your business in 2020.
Canada before PIPEDA
Prior to the enforcement of the act, reporting data breaches to the Office of the Privacy Commissioner of Canada (OPC) was voluntary. Unscrupulous business owners could keep Canadian consumers in the dark until the breach was exposed by the media, an insider, or another party in the know.
The longer a business waited to admit to a security breach, the longer it would take affected customers and personnel to do anything about their compromised data. To illustrate, let’s say a Torontonian’s bank account information was stolen from a company’s database and that company delayed notifying that client for three months. That means that the data thief would have had that much time to impersonate the account holder and make transactions as such. In all likelihood, it would be far too late for the account holder to transfer their funds and close the account. The thief would have done that in the first couple of weeks.
Parliament enacted PIPEDA to prevent situations like the one above. This Act requires organizations to report to the OPC whenever their security safeguards for personal information have been breached and could endanger individuals. The law also requires organizations to promptly alert affected individuals as well as maintain documentation of all data breaches.
Canada under PIPEDA
Regulations compliance has led to a six-fold increase in privacy breach reporting. This indicates a massive under-reporting in the years prior, a substantial increase in cyberattacks, or both.
More than this, the larger count reveals three helpful insights:
#1. Large enterprises aren’t the only ones being targeted by cybercriminals
A significant chunk of reported data breaches actually came from small- to medium-sized businesses (SMBs). This means that firms of all sizes — not just giant corporations — must have ample cybersecurity measures.
Further reading:
#2. When it comes to how many people are affected by breaches, one is one too many
Though many SMBs disclosed that only a single client of theirs was affected, reporting to the OPC and informing that individual was still the correct action to take. Obviously, this is because businesses must prevent that person from suffering significant harm. However, there are additional reasons for doing so:
- That one person’s account may just be an indicator of a much larger cyberattack, so it’s good to have the OPC and other relevant agencies help you resolve it.
- If you had one vulnerability, there's a good chance you have more. Again, working with the OPC may help address these.
#3. Employees need cybersecurity awareness training
Unauthorized access accounts for more than half of 2019’s reported breaches, and one of the more popular methods being employed by hackers is targeting employees with phishing attempts.
Another significant cause of breaches is device theft: staff members have the devices they use for work stolen. If the user is still logged on to their work accounts and the device is unlocked, the thief gets unfettered access to those accounts.
Furthermore, not all data breaches are caused by people outside of your organization. A large portion of breaches is actually caused by staff members themselves. They can accidentally disclose sensitive information or misplace the devices they use for work. All of these reasons and more are why you should be offering cybersecurity awareness training for employees.
OPC’s tips for mitigating data breach risks:
- Be aware of vulnerabilities in your systems. Conduct regular risk assessments and penetration tests. Ensure that third parties are also assessed and have the necessary cybersecurity safeguards as well.
- Exercise greater responsibility for the personal information you collect by knowing the types you have, where you store them, and what you do with them.
- Stay informed about the threat landscape in your industry. Hackers are efficient in the sense that they will keep using what works, so it pays to know what you have to guard against.
If IT isn’t your power, let us help you achieve what is. Our Exponentially Better™ cybersecurity services help organizations across Toronto remain true to their value proposition. To learn more about how we at XBASE can help you, download our eBook about cybersecurity planning now.