Cyber security in Canada is changing. Organizations will soon be required by law to report cyber data breaches if there is any risk of significant harm to personally identifiable information.
The changes to data breach regulation are expected to unroll across the country in the near future, after major amendments were made to the Digital Privacy Act (PIPEDA) in June 2015. Companies will soon face much more rigorous regulatory requirements and potentially higher costs and fines.
The incidents that tend to make the headlines are the global ransomware attacks and high-profile hacking sagas, however, data breaches are not just the result of criminal activity.
Search and compare product listings for Cyber Insurance from specialty market providers here
Something that doesn’t make the headlines is the amount of accidental data breaches caused by employee error or data breached while controlled by third party suppliers. Accidental data breaches account for almost one third of incidents, according to
Beazley Breach Insights - a report based on client data collected by specialist insurer
Beazley.
But just because a breach is accidental, that won’t stop a regulator coming down hard.
“Sometimes the breach comes from employees who just don’t know the right way to protect data,” said Katherine Keefe, leader of the Beazley Breach Response Services Group. “While there are criminals behind ransomware attacks, it’s often a lack of awareness among employees that opens the door for the criminals to come walking through.
“A company can have the best security systems and yet still be vulnerable to the ever-changing threat landscape from a criminal perspective. But that doesn’t mean you should throw in the towel. There’s a lot companies can do with their very own employees, using risk management tools and education campaigns to reduce the threat level from the inside of the company.”
Accidental data breaches can occur through seemingly innocent actions like dumping paper data in an ordinary dumpster rather than putting it through a shredding bin, or clicking on a link contained in a malicious phishing email – all actions that can be curtailed with the right risk management and education programs in place.
“Companies need to have a breach response plan in place so that everybody knows what to do and who to turn to for help in the event of a suspected data breach,” said Keefe. “They need to think about things like which departments will be impacted, which privacy lawyer will guide the company through the complex legal ramifications, and what forensic teams will help in the result of an IT systems compromise.
“With our program at Beazley, we have assembled all of those resources as part of the insurance coverage, so that when an incident happens, a company with our policy can activate their breach response plan quickly and get the investigation up and running. Time is of the essence as most regulatory agencies require a very expedient and quick response to a suspected data breach.”
The temperature of the regulatory landscape across Canada is something brokers need to stay on top of, according to Keefe. As regulators become more comfortable with their new laws, they will look to enforce regulations and penalties with more intensity.
Ransomware is a crime model that’s “not going to go away and will unfortunately probably increase,” commented Keefe. There’s not much companies can do about this. But they can certainly curb the amount of accidental breaches, and the insurance industry can step up to help.
Related stories:
Beazley beats expectations as it enjoys profit leap
Westjet reveals customer data was breached by an unauthorized party