Between Nov. 01, 2018 and the same date one year later, the Office of the Privacy Commissioner of Canada (OPC) received 680 breach reports, roughly six times the volume it received during the same period one year earlier. The most common type of breach (accounting for 58% of those reported) was unauthorized access, followed by accidental disclosure, loss, and theft.
“It’s a staggering increase and higher than we had anticipated given the experience of our counterparts at the Office of the Information and Privacy Commissioner of Alberta when their mandatory reporting laws came into effect,” stated the OPC. “According to those reports, the number of Canadians affected by a data breach is well over 28 million.”
However, Nov. 01, 2018 is noteworthy for another reason. It’s the date when businesses in Canada became subject to new mandatory breach reporting regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA). These regulations have since changed the game for breach reporting in the country.
“Now when organizations have a [breach] event [that poses a significant harm to individuals], they have to report it to the Privacy Commissioner of Canada,” said Brian Lapidus (pictured), global practice leader for Kroll’s identity theft and breach notification practice. “They have to track all breaches, large and small, as an organization. They also have to provide notification of that breach to the actual impacted individual and while some of that has been in certain provinces before, this is the first time where we’re seeing it across all of Canada.”
The timing element is particularly important, with businesses having to report a breach to individuals as soon as feasibly possible after they’ve determined that harm from said breach has occurred. This is in contrast to similar regulations in the United States where businesses have to report as soon as possible whether there’s harm or not to an individuals. Both of those scenarios can nonetheless be a challenge.
“That makes it a challenge for the organization because they want to know that they’ve had an event and sometimes it takes a forensic investigation or more work within your own systems and your own understanding of what happened,” explained Lapidus. “One of the things that we’ve seen is there’s a real challenge at times when organizations prematurely notify and then find out there’s not an issue, so this is going to be a developing story in Canada to see how this plays out.”
The regulations are likely to evolve from here, he added, noting that in Australia when fines related to security breaches started to come down, that’s when organizations really took note of the regulations.
“Phase one is the legislation and then when the first fines are issued, you see organizations say, this is the real deal,” Lapidus told Insurance Business. “Another interesting nuance in the legislation is there’s no specification around how the notification has to work … PIPEDA is not that wide and not that explicit yet, but I think this is step one in what will be an evolving set of legislation and implementation of that legislation into practice.”
For small and medium-sized businesses in particular, the rules laid out by PIPEDA give them additional responsibilities for securing the data that they have, and then being responsible for it as an asset. While it’s still early days, organizations are picking up the mantle of that responsibility and making it a priority, according to the Kroll leader, who is seeing SMBs add information security staff to their teams and partner with third parties to run risk assessments and tabletop exercises so they have a plan in place for when (and not if) a breach happens.
“You’re seeing a lot of proactive steps from these organizations, and I think they have no choice but to take it seriously given the increase in the stringency of the legislation from where it was a couple years ago,” said Lapidus.
As for the additional risks to businesses that come from the legislation, class action lawsuits and claims are certainly among them. An increased level of awareness on the part of consumers about what it means to have their data exposed as well as an increased number of notifications from companies when they experience a breach in turn might result in more class action lawsuits, which is “par for the course in the US,” said Lapidus.
“I think we’re going to see individuals seeking small claims more than we have in the past, so there’s going to be a potential pickup on claims on consumer identity theft policies in market,” he continued. “And lastly, businesses are going to see an increase in costs in terms of the notification … The cost basis of dealing with data security and information security, and the repercussions for breaching those things are going to be a more prominent line item in the P&L of organizations in the Canadian market.”
In the meantime, Kroll has launched its dark web monitoring capability in Canada and is running its call centres in the country, as well as implementing a team of cyber professionals in the Great White North that are helping to run breach investigations.
“We wanted to make sure that we were able to meet the businesses – our clients – and their constituents, consumers, and employees where they were most comfortable,” said Lapidus.
