The eight-month anniversary of Canada’s mandatory breach notification enforcement is fast approaching, and while some businesses, as well as their insurers, have taken stock of the regulations and how to follow them in the event of a breach, awareness of compliance hasn’t been even across the board.
“A large number of regulated insureds understand their lives are going to change, with respect to what must be reported to the Office of the Privacy Commissioner of Canada (OPC), and I find that a lot of our small and medium-sized businesses, or businesses that aren’t necessarily regulated, still aren’t as aware of the laws and regulations,” said Jelena Cvetkovic, claims specialist at CNA Canada, during a cyber roundtable hosted by CNA that featured legal, insurance, and incident response experts. “When I speak to them and tell them that this is the situation where you at least need to run it by a breach coach who will then give you a recommendation or advice on whether this is something that needs to be reported to the OPC, a lot of them are still not aware that it is law, and it’s a big eye-opener to them.”
SMEs can also be especially vulnerable to cyberattacks and breaches in the first place, which puts them at another disadvantage when it comes to mitigating their exposure in the evolving cyber risk landscape.
“We often see applicants in the small business space, or industries which are less sophisticated from a technology standpoint, who don’t have a high level of awareness around these types of issues,” said Terri Mason-Benjamin, AVP of professional liability and cyber at CNA Canada, adding, “Sometimes, the less sophisticated IT security that might exist within those organizations that don’t have a large budget for IT might make them more vulnerable.”
Despite some need for continued campaigning to spread awareness among commercial insureds on the notification rules, as well as cyber risk more broadly, information on breaches has come flooding into the OPC, which is now well-positioned to enforce compliance.
“Having had conversations with staff at the Office of the Privacy Commissioner, they have seen a significant increase in the number of breaches that have been reported since the mandatory breach came out,” commented Imran Ahmad, a partner at Blake, Cassels & Graydon LLP with expertise in cybersecurity, IT, privacy, and technology.
He also told Insurance Business that in April 2018, OPC underwent an important restructuring.
“OPC used to be a complaints-driven organization, meaning if you had a complaint, you would file it and they would maybe or maybe not commence an investigation. As of April 2018, they have restructured to have a compliance-proactive department, and their budget has increased, their mandate is being pushed a bit further, and my sense is that they’re going to be asking for additional resources, both financial and in terms of manpower,” said Ahmad.
Post-restructuring, the agency operates under three sectors – besides Compliance, which handles privacy compliance issues, Policy and Promotion focuses on informing citizens about their privacy rights, while Corporate Management provides advice and integrated administrative services. Each department has its own deputy commissioner that in turn reports to Privacy Commissioner Daniel Therrien.
While some insureds are asking the right questions about complying with mandatory breach notifications in this new regulatory environment, CNA experts have yet to witness a run on the bank for cyber insurance since the rules came into effect.
“From an underwriting standpoint, interestingly we did not necessarily see a notable increase in cyber insurance purchases resulting from mandatory notification,” said Mason-Benjamin.
