Companies have to get ahead of mandatory breach regulation before it “bites them”

Companies have to get ahead of mandatory breach regulation before it “bites them” | Insurance Business

Companies have to get ahead of mandatory breach regulation before it “bites them”

The legalization date for recreational cannabis use isn’t the only countdown that brokers are watching this fall. With the mandatory breach notification regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA) coming into play on November 01, Canadian businesses will have to get ready to comply with guidelines around record-keeping and the notification of customers when breaches occur. Brokers, too, have to be versed in the new legislation and keep their clients in the know on its potential impacts.

One company’s preparations for the date, in terms of what it’s providing for brokers, are already well-underway.

“With November 01 approaching quite quickly, we want to be there for our broker partners - because that’s really how we see them, they are our partners - so helping them in any way that they need, whether that be messaging, whether that be marketing materials, whether that be through leadership, whether that be sales enablement tools, leading up to and post-November 01,”said Greg Markell, president and CEO of Ridge Canada Cyber Solutions.

“On top of that, we’re continuing to listen to our broker partners and really asking questions about what they need and what they want to see from us. We have a number of different products that we’re kicking around and that we’re actively working on, but right now our focus is being completely supportive of our networks and of our partners leading up to the change in legislation that is affecting their clients directly.”

Read more: Cyber security head: “Hundreds” of countries pose a cyber threat to Canada

The notification requirements have tended to steal the spotlight, but it’s also the record-keeping element that companies need to be aware of as the regulations are enforced.

“Organizations that have been breached have to keep a running incident log of the situation, both what happened before, during, and how they’ve dealt with it [after],” explained Markell. “If you don’t do this the right way and you don’t protect this in some form of privilege by dealing with it with a breach coach or some legal representation, then all of a sudden smart plaintiff counsel is going to say, ‘hey, how about the ledger,’ and they have a case made for them at that point. Businesses have to take it seriously, but they also have to be strategic in their risk management planning and get ahead of this before it really comes up and bites them.”

The incoming regulations are a billboard-sized sign that companies need to take data security seriously, if not for the safety of consumers then for their own financial well-being.

“If you get breached and it appears you haven’t paid any attention to this real world risk that everybody’s been talking about, if you’re indifferent to that dynamic environment, you might see the heavy hand of government reach into your back pocket and take a substantial fine,” said Ridge Global chairman, Governor Tom Ridge, adding that the current threat landscape marks the new cyber reality that we’re all living in today. “I call it the digital forever, and the digital sun’s never going to set – it’s just going to get hotter.”