It’s been a busy year in the world of cyber security. First came the EU’s General Data Protection Regulation (GDPR) which made landfall on Canadian soil in April, declaring that the export of personal data outside the EU falls under their law regarding data privacy for its citizens. That means all your businesses needs to do is capture one email (subscriber, etc.) from an individual with EU citizenship to make you susceptible to punitive measures that could follow a data breach. Still, some Canadian businesses have been slow to abide by all GDPR mandates to date and in doing so have accepted the risk.
But that laissez-faire stance on cyber security just got real for Canadian businesses, including those here in BC. As of November 1 2018, the Privacy Commissioner of Canada enacted an addendum to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) that will forever change the way you look at the risk of a cyber attack.
PIPEDA is Canada’s privacy law for private sector organizations that includes rules they must follow whenever they collect, use or disclose personal information in the course of their commercial activities. It covers fair information principles and provides guidance on how to improve upon IT security however the recent update thrusts businesses into the spotlight after a cyber attack has occurred. It is now mandatory to fulfill the following obligations:
Your business must report all breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals to the Privacy Commissioner of Canada.
Your business must notify affected individuals about those breaches.
Your business must keep records of all breaches for a minimum period of 24 months.
Failure to abide by each obligation is considered a separate offense, making one subject to fines of up to $100,000 per violation.
What exactly constitutes a data breach? Essentially, any scenario that involves unauthorized access to your organization’s data, access that can be achieved by hacking into systems where personal information resides, regardless of the intent of use. For instance, if you or a staff member clicks a malicious link in a phishing email you will have to fill out this PIPEDA breach report or provide a comparable report right away. You can’t afford to sweep a hack under the carpet, which is why you need liability coverage against cyber crime more than ever before. Please keep reading.
3 Reasons Why Your Business Needs Better Liability Protection After the November 2018 PIPEDA Update
1. Mitigate Risks of Financial Penalty
Ethical businesses have every intent in abiding by PIPEDA’s new obligations, however all that it takes is one weak link in the organizational chain to expose you to the risk of violation. Through negligence, an office worker may have inadvertently downloaded a ransomware payload and attempted to hide the fact out of fear of repercussion. Or, IT staff may have neglected to patch a vulnerability and not have informed all stakeholders about a seemingly insignificant breach. Long story short, there is a very reasonable risk of violating these new obligations.
Most small to medium business can’t afford to lose $100,000 (per violation). It’s enough that a ransomeware attack itself could cost you thousands or much more with 60 percent of SMBs shutting down within six months of a data breach. Layer on the potential for PIPEDA (and GDPR) fines and your exposure increases exponentially. To be blunt, moving forward into the post-PIPEDA update era without the most comprehensive cyber crime coverage possible is simply unthinkable.
2. Mitigate the Risk of Public Relations Backlash
The primary reason businesses neglect to inform invested parties about a data breach is the fear of a public relations backlash, which can directly impact current business relationships and customer/client acquisition initiatives alike. Look no further than Uber who attempted to cover up a 2016 breach that exposed millions of user accounts, only to receive a whopping $148 million fine in 2018 for failing to report the incident.
Even if your businesses reports a breach in a timely manner and ensures customers/clients that more stringent safeguards have been instituted, there is likely to be some loss of business until trust is restored. Protect your business against the typical losses that come from cyber crime, in addition to temporary or permanent loss of customers with both cyber liability coverage and business interruption insurance.
3. The New Law Does Nothing to Prevent Cyber Crime
The new law intends to better protect the consumer while holding businesses that collect their data accountable. What it doesn’t do, is prevent cyber crime from occurring in any way, shape, or form. In fact, some theorize that it will only lead to more advanced attacks as hackers see that businesses will ramp up their cyber security protocol as a means to further protect themselves from the potential consequences surrounding the PIPEDA update. Expect malware and ransomeware to become even more progressive, and even if you invest machine learning and artificial intelligence (AI) to provide advanced endpoint threat protection, you will need to adopt a more robust commercial insurance policy to boot, one that includes comprehensive cyber insurance.
Contact an independent broker at Park Insurance to learn more. In addition, have both IT staff and all key company stakeholders review the updated PIPEDA regulations today and stay tuned to our blog for future updates.