Are this year’s high profile data breaches in Canada an indicator of a systemic cyber risk problem? David Laks thinks so.
A quick look at the headlines: Home Depot’s data breach affected Canadian customers; Canada Revenue Agency temporarily shut down its public site in April because someone exploited the Heartbleed security flaw (900 social insurance numbers were compromised); National Research Council had its computer systems hacked in July, forcing it to shut down.
In an independent research report issued by Websense in November 2013, 36 percent of Canadian companies surveyed had experienced one or more cyber attacks that breached networks during the previous 12 months.
How safe is your company’s/client’s data? And how do you know you weren’t personally impacted by one of these breaches?
Part of a company’s responsibility under Canada’s private sector law, the Personal Information Protection and Electronic Document Act (PIPEDA), is to “protect personal information against loss or theft.” However, in Canada there is no federal law requiring private companies to disclose breaches to the government or to those affected. That may change with Bill S-4, the Digital Privacy Act, currently before Parliament. But, Canada is playing a bit of catch-up; other countries have had disclosure rules for years.
Unfortunately, the proposed Bill S-4 legislation has some shortcomings. Firstly, the standard for organizations disclosing a data breach is set at a very high level; only if there is “a real risk of significant harm to the individual.” Other jurisdictions have set a lower threshold for notification disclosure. Secondly, the bill requires organizations to maintain a record of all breaches, but to only disclose them to the Privacy Commissioner of Canada if specifically asked. Will the Privacy Commissioner regularly ask every company for this information?
The end result may be under-reporting or delay in reporting of breaches, thereby reducing the ability of Canadians to effectively mitigate the misuse of their personal information.
Many organizations understand that there needs to be an ongoing assessment of malicious threats (hackers, hacking, phishing, pranksters, Distributed Denial of Service (DDoS) attacks, , rogue contractors, disgruntled IT staffers); as well as non-malicious (and more common) threats including employee mistakes such as laptop/phone losses, data leaks, application glitches, and network and sharing trends. (continued.)
#pb#
Only once senior management understands the potential financial impact of a data breach will they be able to complete a cost/benefit analysis of upgrading their current cyber risk program. As part of the evaluation, they may consider a cyber liability insurance policy. This policy can include some typical costs of a breach, such as: protection for liability coverage for customers/others that have been affected, forensic investigation, litigation, remediation expenses associated with the breach, business interruption, cyber extortion, regulatory defense, and public relations expenses.
There is a natural tendency to do the absolute minimum to deal with the issue of cyber security. Even with the most robust cyber risk program, there will always be the risk of a breach. However, the risk to Canadians will be reduced with improved legislation and organizations’ understanding the potential impact of a cyber breach.
David Laks, P. Eng., CFPS, RRC, ARM, is a Senior Risk Consultant, Risk Services Division HUB International. To reach David or a local HUB risk services expert click here. For more information on Hub’s Risk Services visit the Hub’s Crisis Management Center.
