If you missed the fact that, last week, the Government of Canada pushed forward mandatory data breach disclosure obligations for businesses, don’t be alarmed – the order in council was adopted quietly and with little fanfare on the part of the government.
The Order in Council enforced several sections of the Digital Privacy Act and, specifically, sections 10, 11, and 14, subsections 17(1) and (4), and sections 19 and 22 to 25, which will come into effect on November 01, 2018. For those unfamiliar with the details of the Act, the sections address the reporting of security breaches and compliance requirements.
The implementation of the mandatory breach notification puts Canada closer to other countries that have already taken steps to create industry-wide cybersecurity standards. It’s been a sticking point for some in the cyber community – just a few weeks ago, Lindsey Nelson, international cyber team lead for CFC Underwriting, told Insurance Business that in part because the federal breach notification part of the Act had still not been enforced, Canada lagged the UK and US in cybersecurity standards.
According to one expert, our closest neighbour is as much as a decade ahead of us.
“That’s primarily because the US legal framework has been in place for quite a while and it varies from state to state,” said Patrick Bourk, principal and national cyber practice leader at HUB International.
The specific regulations dictating what that breach reporting will look like have yet to be announced and won’t be for a few more weeks.
“The other shoe to drop, if you will, is the actual regulations. Some of us in the legal community were wondering whether or not to announce this because it’s all well and good to say November 01 is when it all happens, which is very important, but, as with all legislation, the devil’s in the details,” said Bourk. “That’s going to set the tone for, for example, what exactly has to go into the notice.”
Many large companies – think Hudson’s Bay with its recent breach – likely already have a process for reporting data breaches, but now, small and mid-sized business are going to have to meet specific standards as well and put into action their own breach notification processes.
“Without there being a framework, everyone is doing things on their own,” explained Bourk. The law is setting a general tone for what companies have to do with the hope that each company will take into account their own nuanced issues.
As companies start preparing for November’s enforcement date, their insurance needs might change. Already, Bourk has witnessed the development in firms’ interest in cyber coverage, and a regulation like this might advance that interest further.
“Even two years ago, nobody was really buying cyber liability insurance. Whenever there’d be a breach, that’s one of the first things that the lawyer would say is, ‘Do you have insurance?’ and 90% of the time, they’d say no. Now, a lot more people are starting to say yes,” said Bourk.
Companies that have had breaches might already have protocols in place for how they notify clients, but the notification rules will break open the doors for other companies, if they’ve never given any thought to dealing with breaches, to have plans in place.
HUB is advising clients to, among other preparations, determine their obligations under the new regulations and get the review process of already existing policies and procedures underway, setting an example for the resources and advice insurers can provide for their clients following the announcement.
“It’s kind of like a fire,” said Bourk. “And you’re not going to grab pails of water, and try and put it out yourself. You’re going to call the experts to come in and help you. It’s not dissimilar for a cyber breach that way, too.”