A major data breach that’s reportedly affected 26 million accounts of users in Canada and the US hit event ticketing company Ticketfly last week. A hacker took control of the website and demanded a ransom, which the company refused to pay, ending in the publication of user data as retaliation.
Even in the midst of the General Data Protection Regulations (GDPR) being adopted by any and all companies who offer goods and services to EU residents, including many with operations in North America, cyber criminals are still on the prowl for gaps in privacy and security protocols that allow them to penetrate a business and extract data.
Closer to home, it’s been a few weeks since the government released the mandatory breach notification regulations, which will come into effect November 01, and many Canadian companies are already figuring out how to comply with record-keeping and customer notifying standards when they experience data breaches.
“We’ve seen a lot of interest increased with the finalization of the regulations,” said Alex Cameron, partner at Fasken Martineau DuMoulin LLP, and chair of the firm’s privacy and cybersecurity group. “I think there are still a huge number who are going to be reactionary to this. We’ll hear from them closer to the deadline or we’ll hear from them when they’ve actually had a breach and they want to assess what to do about it. There will be that group, but certainly, we’ve seen a lot more proactive work being done with a lot of clients.”
Some companies are already prepared to meet the regulations, according to Cameron, with various measures in place to address key aspects of the new rules.
“It is increasingly the case that companies do have incident response plans at varying degrees of completeness and readiness, but they are something that we’ve seen a lot of clients are working on for the past couple of years in particular,” he said. “This legal change, however, will require everybody to reassess whether their plan is sufficient, if they have one, or it will drive the need to create a plan.”
Underwriters will see an effect on their work, too, with more information to parse when assessing a company’s risk.
“Those files which you have to keep for 24 months will be targets for all sorts of reasons,” explained Cameron. “Now that everybody knows that they exist, I expect that that might be information an underwriter would be interested to see so that they can make an assessment as to whether this is an organization that has experienced a lot of privacy breaches… or maybe they’re ones that are material, or that there may be patterns in the breach files that indicate that they’re not improving their practices over time.”
For those companies that don’t comply with the regulations, the consequences are threefold, Cameron told Insurance Business.
“One, you would face a commissioner investigation and be found to have not complied, which could give rise to reputational impacts and legal liability, if the complainant or the commissioner then took the case to federal court,” he explained. “The second potential consequence is you could be found to have committed an offence by failing to notify, or by failing to keep records as you’re required to do, and there are financial penalties that can be levied if you’re convicted of an offence. The third consequence is really somewhat indirect, but it’s the risk of civil litigation.
“We already see rampant class action lawsuits in the wake of breaches and if you look at the cases where those are being brought, they have tended to be cases that often include a poorly handled incident response.”