☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Archives

Is Your Organization Ready for Mandatory Data Breach Notifications?

Posted on by

Overview

On June 18, 2015, the Digital Privacy Act (DPA) received royal assent and became law. Among other things, the DPA amended the Personal Information Protection and Electronic Documents Act (PIPEDA) by revising consent requirements, introducing mandatory breach notification and record-keeping requirements, and adding significant fines for non-compliance.

While many of the measures introduced by the DPA have been in force since the bill was first enacted, the government held off on imposing mandatory breach reporting until the proper regulations were implemented.

Such regulations could be in place as early as fall 2017, and organizations will want to ensure that they know what is expected of them in order to remain compliant and avoid costly fines as high as $100,000.

Mandatory Data Breach Notifications

The DPA imposes reporting requirements for every organization in Canada that suffers a data breach, particularly if that data breach creates a real risk of significant harm to the personal information of one or more individuals. While the full extent of the reporting requirements will not be known until the corresponding regulations are published, the DPA defines significant harm broadly to include the following:

  • Bodily harm
  • Humiliation
  • Damage to reputations or relationships
  • Loss of employment, business or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on credit records
  • Damage to or loss of property

Most often, the existence of “a real risk of significant harm” will be based on the sensitivity of the personal information involved in the breach, the probability that the personal information will be misused and additional factors that may be prescribed by the forthcoming regulations.

If a breach causing significant harm to one or more individuals occurs, the affected organization must do the following, as soon as feasible:

  • Report the incident to the Office of the Privacy Commissioner of Canada (Privacy Commissioner).
  • Notify affected individuals of the breach and provide them with information on how they may minimize the harm caused by the breach.
  • Inform other organizations and government entities of the breach, especially if they believe that doing so could reduce risks or mitigate harm.

Notices must contain enough information to help affected individuals fully understand the extent of harm caused by the breach. Additionally, notices must be conspicuous and provided directly to affected individuals. However, in limited circumstances, indirect notices may be permitted. Once again, more detail will be available to organizations once the forthcoming regulations are published.

Record-keeping Requirements

Another key change under the DPA will be the requirement that organizations keep records of all security breaches involving personal information. While it is still unclear the level of detail these records will need to contain, it is clear that the Privacy Commissioner will have the right to request and review these records at any time.

Penalties for Non-compliance

Under the DPA, fines up to $100,000 may be imposed against organizations that knowingly violate the mandatory breach notification requirements or breach record-keeping requirements. Until the regulations are finalized, it will remain unclear if a violation will include a single incident (for example, a single failure to notify all individuals impacted by a breach) or each incident (for example, each failure to notify each individual impacted by a breach). However, it is clear that the Privacy Commissioner now has the ability to impose significant fines for non-compliance.

What Does this Mean for Organizations?

Mandatory data breach notifications could impact any organization that is at risk of a cyber attack. Given the reach of the DPA and upcoming regulations, all organizations should consider doing the following:

  • Review and update existing protocols and policies to account for detecting, responding and reporting data breach incidents internally.
  • Assess the types of information—personal information, intellectual property, supplier data, etc.—they hold and how they would respond in the event of a breach.
  • Create a data breach incident response plan if one does not already exist. Such a plan should include methods for notifying the Privacy Commissioner and any impacted individuals.
  • Ensure that they have sufficient insurance in place and have taken the steps to mitigate any litigation exposures. Such steps often include requiring employee training, performing security audits and identifying cyber security vendors.

Organizations should review the DPA to ensure they are compliant with all aspects of the legislation.

© Zywave, Inc. All rights reserved

Insured Losses from Catastrophic Events Reached $4.9 Billion in 2016

Posted on by

In insurance, a catastrophic event is one that is typically unpredictable and causes extreme loss. Catastrophic events can be either natural or man-made disasters, and common examples include earthquakes, floods, hurricanes, wildfires and terrorist attacks.

According to a review conducted by Property Claim Services (PCS), insured losses from catastrophic events in Canada reached about $4.9 billion last year, which is nearly 10 times more severe than 2015. When these events occur, they have a heavy impact on the market—often driving up premiums.

The report—“More Than 50 Cats: PCS Full-Year 2016 Catastrophe Review”—also found that, over the past five years, the average insured loss from a catastrophic event was $2.1 billion. During this time frame, the two largest events on record in Canada were the 2013 Alberta floods ($1.7 billion) and last year’s Fort McMurray wildfires ($4 billion).

Six of the 2016 catastrophic events that occurred in Canada were in the “wind and thunderstorm” family and resulted in industry losses of nearly $860 million.

Furthermore, the report noted that the increase in catastrophic events had an impact on reported personal losses. In 2015—a quiet year for catastrophic losses—personal losses accounted for only 45 per cent of the insured loss estimate. In 2016, personal losses accounted for 71 per cent of the insured loss estimate.

Moving forward, there is a possibility that major, catastrophic events will increase in frequency and severity, making it all the more important for insurers and businesses to stay ahead of the game. In 2017, many insurance companies will be looking to advance their tools and share best practices for assessing and responding to catastrophic disasters, whether natural or man-made.

© Zywave, Inc. All rights reserved

What Should Businesses Do to Prepare for Potential NAFTA Changes?

Posted on by

The future of the NAFTA may be up in the air as formal negotiations for a policy overhaul are forthcoming with the United States. NAFTA, which has been in force since 1994, created the world’s largest free trade area, and retooling the agreement could have a major impact on Canada’s economy, labour market and global supply chains.

Since its inception, NAFTA has removed barriers and encouraged the flow of goods and labour between Canada, the United States and Mexico. This is because, after NAFTA, imported items were no longer taxed, creating less expensive goods and encouraging trade. As a result, U.S. trade among Mexico and Canada has effectively tripled.

While the future of NAFTA is unclear at this time, businesses should not wait for sweeping changes to occur. Instead, organizations can prepare for NAFTA revisions by doing the following:

  • Identify your exposures to U.S. trade action. Trade disputes can be incredibly costly for organizations, potentially leading to punishing anti-dumping and countervailing duties. To protect themselves, companies should lessen their exposure to such investigations by pinpointing how NAFTA changes might impact business as whole.
  • Understand your supply chain. Changes to NAFTA will likely disrupt your supply chain, and upper management will no longer be able to delegate such issues to logistics or purchasing departments. It is vital for organizations and their leadership to identify supply chain vulnerabilities and alternative sources for critical inputs.
  • Communicate your interests in NAFTA negotiations. The Canadian government is preparing for NAFTA renegotiations by identifying the interests of its business community. While these negotiators have their fingers on the pulse of the major issues related to NAFTA changes, your business may be able to request specific protections not previously discussed.

Organizations may also want to explore new markets to reduce U.S. dependence and assign an individual to stay current on NAFTA updates. While the future of NAFTA is uncertain, companies don’t have to sit on their hands, and the above strategies can better position them for success.

© Zywave, Inc. All rights reserved

Preventing Construction Job Site Theft

Posted on by

Although it is important for companies to trust their workers and the general public, the unfortunate reality is that theft can happen at any time. This is particularly true in the construction industry, where expensive tools and machinery are often left in plain sight or are easily accessible to criminals.

Construction site theft is especially damaging, as the theft of materials and tools can quickly delay a project, sometimes bringing production to a halt. What’s more, many construction workers pay for their own tools and, in the event of a robbery, may have to recoup losses out of their own pockets.

General Tips

While every job site presents its own set of unique challenges, there are a number of general tips firms can use to better secure a construction site.

The following are some basic strategies you can use to protect your materials and tools from thieves:

  1. Create a written security policy and job site security plan. These written plans should assign supervisory responsibilities, encourage awareness and establish basic best practices for securing tools and materials.
  2. Contact nearby property owners and local law enforcement officials whenever you start a new project. These parties can help monitor your job site, particularly during off-hours.
  3. Establish a means for your employees to report theft or suspicious activity. Be sure to maintain complete records of any security incidents, as they can be beneficial to law enforcement in the event of theft, vandalism or similar occurrences.
  4. Conduct thorough background checks on your employees before hiring them on full time. You should also keep a list of people authorized to be on the job site on hand at all times.

Worksite Protections

Equipping your worksite with theft-prevention features is mandatory if you expect to ward off potential criminals. Whenever possible, consider doing the following:

  1. Enclose your worksite with a security fence and provide limited access at all times. Use lockable gates whenever possible. Avoid using low-quality locks or leaving keys in the locks themselves.
  2. Ensure that your worksite is well lit at night to deter criminals.
  3. Utilize signage to keep unauthorized personnel off your worksite.
  4. Walk around the worksite at the beginning and end of each day to ensure that no items are missing.
  5. Consider hiring security guards to patrol the construction site, particularly at night.

If possible, install security cameras to safeguard your job site. Overall, training employees on how to best keep materials and equipment out of the hands of thieves is your first line of defence against losses.

Controls for Equipment, Tools and Materials

The number of tools and machinery found on a construction site can vary heavily from day to day, making it difficult to keep track of valuables. That’s why the first step in any good protection program is to inventory the equipment you have.

An inventory should be made available for each job site and should accomplish the following:

  • Inventories should track all newly purchased items. Copies of the inventory should be kept in a secure location.
  • Inventories should be up to date and include photos of the larger, more important equipment.
  • To aid in the settlement and recovery of any stolen equipment, inventories should include the following:
    • The original date of purchase
    • The original cost of the equipment
    • The equipment’s age and serial number
    • Relevant manufacturer information

Firms should assign one employee to be in charge of managing the inventory. This person would be responsible for keeping track of all materials, tools and deliveries.

Other major steps to securing equipment, tools and materials include the following:

  • Utilize a secured area to store your equipment.
  • Mark and label all tools in a distinctive manner for easy identification.
  • Implement a checkout system of all tools and equipment so you can track their whereabouts.
  • Establish a key-control system for heavy duty machinery.
  • Install anti-theft devices on mobile equipment.
  • Lock all oil and gas tank caps.
  • Park all equipment in a centralized, well-lit and secure area.
  • Avoid using your worksite for storage. Remove any tools, materials or equipment that are not in use.

In general, it’s important to keep inventory levels low on-site to discourage thieves. In addition, creating and maintaining an equipment program can make all the difference when it comes to safeguarding your tools.

Equipment programs should make employees, managers, supervisors and foreman responsible for equipment losses. Under such programs, all losses are must be reported, regardless of how small. You should review equipment programs at least annually.

Protect Your Projects

Theft is unpredictable, but there are many workplace controls that firms can implement in order to protect themselves. In addition, it’s important to speak to a broker to seek the appropriate insurance coverages.

© Zywave, Inc. All rights reserved

IT Security Is a Top Challenge for Firms around the World

Posted on by

A recent survey conducted by Protiviti and the Information Systems Audit and Control Association (ISACA), found that cyber security, privacy issues, infrastructure management and emerging technologies rank as the top IT challenges facing organizations today.

The annual survey—A Global Look at IT Audit Best Practices—gathered responses from over 1,000 IT audit professionals and focused on emerging technology, IT implementation, audits, risk assessments and hiring practices. Respondents were asked to name their greatest technology or business challenges.

The following were the top 10 responses:

  1. IT security, privacy and cyber security
  2. Infrastructure management
  3. Emerging technology and infrastructure changes
  4. Resource, staffing and skills challenges
  5. Regulatory compliance
  6. Budgets and controlling costs
  7. Cloud computing and virtualization
  8. Bridging IT and the business
  9. Project management and change management
  10. Third-party and vendor managementIn order to protect themselves and stay current on emerging risks, experts recommend that organizations continually review the IT risk landscape and adjust IT audit plans accordingly.

The survey also found that, while 90 per cent of large organizations conducted an IT audit risk assessment, only a little more than half of them did so on an annual basis.

© Zywave, Inc. All rights reserved

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN