A key component of Canadian Privacy Law which was created in 2015 come into full effect on the first day of November this year. The provisions of the law deal with the consequences of failing to notify the Privacy Commissioner when specific conditions occur in the event of a privacy data breach. 
Many Canadian companies are not going to be aware of the specifics of this legislation as a lot think that they either do not hold data that would be of concern or that they have taken adequate steps to protect their information. Of course in many instances this may be true but unfortunately as stories come out about the breaches that occur they show that many organizations can be hit even with due concern having been taken.
3 Questions to Ask Yourself about Data Breaches
- Does your company have a data breach response plan?
- Have you identified the criteria you will apply to determine whether the breach meets the test of real risk of significant harm?
- Do you have a decision tree to determine who will decide on notification?
What is important here is what you do in the event there has been a breach.The legislation anticipates that most organizations will take reasonable steps to protect their data from hackers and out right theft. It does not generally penalize the breach itself. What it penalizes is the lack of notification of those affected by the breach and lack of notification of the appropriate authorities so the public can be protected. Being unaware of the requirements is not going to be seen as a defense.
Unfortunately in the instance where there is a breach too often the tendency might be to try to ignore it or to hide it since it can be both embarrasing and potentially could lead to costs associated with notification of those affected.
Luckily, there is a pretty good understanding in the public mind that there is the potential for breaches and when public announcements occur there is less blow back than in the past. Unfortunately this has come as a result of major organizations with high quality IT talent having been hacked and massive numbers of records having been affected.
The result of this is that smaller organizations can more safely announce when they might have been affected without as much potential for an overwhelming negative impact.
Taking as many precautions as possible helps.
Of course one of the best defenses to a breach issue is to have taken the reasonable steps necessary to protect your data and other IT assets. This have many positive benefits that go well beyond helping you comply with the law.
One of the areas which has had specific cost consequences for Canadian jurisdictions is the malware called Ransomware and there are steps which can be taken to protect your organization. There is good information available from several sources to assist understanding how to protect yourself. Protection company Datto publishes some good blogs which can help point the way. An example is here dealing with the new provisions in Canadian Law.
Some examples where Ransomware has hit Canadians which help illustrate why you don`t want to wait to be hit with an incident. These types of events show why taking the steps possible to protect yourself is much better value than paying up once hit.
Town of Midland:
https://www.ctvnews.ca/canada/ontario-town-plans-to-pay-ransom-after-computers-locked-down-1.4090227
Swiss Chalet, Harvey's, Other Big Chains Hit
A general article on Canadian ransomware
https://www.macleans.ca/news/canada/anatomy-of-a-bitcoin-ransom/
Dealing with all aspects of IT security is a challenge for every organization no matter the size and sophistication. Luckily there are many cost effective tools which can be found and deployed which can help reduce the risk to a manageable level without overly taxing resources. Taking the time to learn more and to implement a management plan is a good way to help avoid becoming a victim.
Like most insurance you hope that the negative event will not occur, but by taking good prudent steps ahead of time you reduce the stress associated with the threat and your people know what to do in the event that something ever does happen.
Lee K
