Canada’s New Breach Reporting Law: 1 Year Later
In November of 2018, a new Canadian Privacy Law was created requiring Canadian businesses to report data breaches to the Office of the Privacy Commissioner (OPC).
Requirements now include:
Reporting breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals to the OPC.
Notifying affected individuals about those breaches.
Keeping records of all breaches.
Although the OPC could not directly tell Canadian businesses to invest in cyber security, they indirectly created a need for a higher level of education and accountability within the cyber walls of each organization. By mandating these changes and implementing penalties for businesses of all sizes, the vision of the program looks to influence businesses to keep Canada’s cyber infrastructure from falling behind the advanced technology used by cyber criminals. Of course, the direct intention is to hold businesses accountable for the data in their possession and maintain a strong economy.
One year later, we can now see the affects of the initial phase of the program and the results were revealing. More companies came seemed to come forward opening eyes to the revelation that Canadian businesses were far more susceptible than originally thought.
The OPC had this to say in their blog post, “Since reporting became mandatory, we’ve seen the number of data breach reports skyrocket.” Further stating, “ Some of those reports have involved well-known corporate names, but we have also seen significant volumes coming from small- and medium-sized businesses.”
6 x the number of breaches were reported over the same time period a year before.
over 28 million were assumed to be affected (Canada’s current population 37.5 million).
680 total breaches were reported from November 1, 2018 - October 31, 2019.
12 Month Growth Chart - Approximate Number of Reported Breaches
As a glaring hot button for many executives and IT departments across the country, several questions arise as it seems that PIPEDA is only scratching the surface. The OPC has stated that funding for the project did not budget for the unexpectedly high volume of investigations. Furthermore, penalties and corrective action cannot be enforced by the country’s cyber watch dog.
So what’s next for Canadian businesses? Aside from reporting, what should they do if they’ve been breached? How can they prepare themselves to identify the breach and begin remediation? How can they prevent a breach?… With so much revealing data, the curtain has been pulled back and of course the hidden problems have accumulated. Time will tell what Phase II will look like for PIPEDA. For now, the problem areas have been identified and it is up to each of us to take next steps.
Often times, a dedicated security leader can help guide your internal IT departments to help them with compliance, training and even remediation. If you find yourself left with questions or concerns about your current cyber security or have experienced a cyber breach, connect with us and we can help you evaluate your next steps to security.
Talk to a Cyber Security Expert
Cyberthreats are growing almost exponentially, and cybercriminals are actively targeting small/medium-sized businesses because these organizations do not have the internal awareness, expertise, or tools to protect themselves.
We created EnterProtect with the mission of mitigating the damages to organizations caused by cybercrime. Talk to a cyber security expert today and find out how we can help protect your business.