Canada is one step closer to other countries that have already moved to create industry-wide cyber breach notification laws. A proclamation of the breach disclosure law and implementation date was announced March 26, 2018 by the cabinet in an order-in-council. This law will affect companies covered under federal Canadian law. This excludes companies in British Columbia, Alberta and Quebec which already have their own data privacy laws.
So, what does this all mean for federally regulated businesses in Canada? IT World Canada reports:
- Businesses must determine if the breach poses a “real risk of significant harm” to any individual whose information was involved in the breach by conducting a risk assessment. The assessment of risk must consider the sensitivity of the information involved, and the probability that the information will be misused. The law defines significant harm to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft;
- When the organization considers that a breach is posing a real risk of significant harm, it must notify affected individuals and report to the Privacy Commissioner of Canada as soon as feasible;
- The company must notify any other organization that may be able to mitigate harm to affected individuals.
This new law makes it mandatory for businesses, in the event of a breach, to notify customers, affected third parties and the federal privacy commissioner. While the specific regulations for reporting have yet to be announced, the proposed regulations say notification to possible victims must include:
- a description of the circumstances of the breach;
- the day on which, or period during which, the breach occurred;
- a description of the personal information that is the subject of the breach;
- a description of the steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm;
- a description of the steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm;
- a toll-free number or email address that the affected individual can use to obtain further information about the breach; and
- information about the organization’s internal complaint process and about the affected individual’s right, under the Act, to file a complaint with the Commissioner.
With the new law set to take effect November 1st, it is predicted there will be a greater demand for cyber insurance. According to insurancebusinessmag.com, some insurance companies are currently witnessing “the development in firms’ interest in cyber coverage,” leading to speculations that “a regulation like this might advance that interest further.” Uzado has developed a Cyber Insurance framework based on Cohen’s Cyber COPE which you can read more about here. For businesses interested in cyber insurance it makes sense to work with an MSSP like Uzado to help fill in the security gaps.
Another service businesses in Canada may want to consider is how to plan for a potential breach. In the same way you might have an emergency plan to escape a building on fire, companies must prepare for how to handle and report a breach. Uzado offers Breach Readiness as a Service (BRaaS) as one of their MSSP offerings. BRaaS offers customers a proven proactive approach in preparation for a breach. Uzado will work with organizations to set up policies and procedures, form response teams where individuals will be assigned specific roles, establish the required channels of communications, and much more.
Need help getting ready for Canada’s Breach Disclosure Law? Contact Uzado today!