☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Liability

Is Your Organization Ready for Mandatory Data Breach Notifications?

Posted on by

Overview

On June 18, 2015, the Digital Privacy Act (DPA) received royal assent and became law. Among other things, the DPA amended the Personal Information Protection and Electronic Documents Act (PIPEDA) by revising consent requirements, introducing mandatory breach notification and record-keeping requirements, and adding significant fines for non-compliance.

While many of the measures introduced by the DPA have been in force since the bill was first enacted, the government held off on imposing mandatory breach reporting until the proper regulations were implemented.

Such regulations could be in place as early as fall 2017, and organizations will want to ensure that they know what is expected of them in order to remain compliant and avoid costly fines as high as $100,000.

Mandatory Data Breach Notifications

The DPA imposes reporting requirements for every organization in Canada that suffers a data breach, particularly if that data breach creates a real risk of significant harm to the personal information of one or more individuals. While the full extent of the reporting requirements will not be known until the corresponding regulations are published, the DPA defines significant harm broadly to include the following:

  • Bodily harm
  • Humiliation
  • Damage to reputations or relationships
  • Loss of employment, business or professional opportunities
  • Financial loss
  • Identity theft
  • Negative effects on credit records
  • Damage to or loss of property

Most often, the existence of “a real risk of significant harm” will be based on the sensitivity of the personal information involved in the breach, the probability that the personal information will be misused and additional factors that may be prescribed by the forthcoming regulations.

If a breach causing significant harm to one or more individuals occurs, the affected organization must do the following, as soon as feasible:

  • Report the incident to the Office of the Privacy Commissioner of Canada (Privacy Commissioner).
  • Notify affected individuals of the breach and provide them with information on how they may minimize the harm caused by the breach.
  • Inform other organizations and government entities of the breach, especially if they believe that doing so could reduce risks or mitigate harm.

Notices must contain enough information to help affected individuals fully understand the extent of harm caused by the breach. Additionally, notices must be conspicuous and provided directly to affected individuals. However, in limited circumstances, indirect notices may be permitted. Once again, more detail will be available to organizations once the forthcoming regulations are published.

Record-keeping Requirements

Another key change under the DPA will be the requirement that organizations keep records of all security breaches involving personal information. While it is still unclear the level of detail these records will need to contain, it is clear that the Privacy Commissioner will have the right to request and review these records at any time.

Penalties for Non-compliance

Under the DPA, fines up to $100,000 may be imposed against organizations that knowingly violate the mandatory breach notification requirements or breach record-keeping requirements. Until the regulations are finalized, it will remain unclear if a violation will include a single incident (for example, a single failure to notify all individuals impacted by a breach) or each incident (for example, each failure to notify each individual impacted by a breach). However, it is clear that the Privacy Commissioner now has the ability to impose significant fines for non-compliance.

What Does this Mean for Organizations?

Mandatory data breach notifications could impact any organization that is at risk of a cyber attack. Given the reach of the DPA and upcoming regulations, all organizations should consider doing the following:

  • Review and update existing protocols and policies to account for detecting, responding and reporting data breach incidents internally.
  • Assess the types of information—personal information, intellectual property, supplier data, etc.—they hold and how they would respond in the event of a breach.
  • Create a data breach incident response plan if one does not already exist. Such a plan should include methods for notifying the Privacy Commissioner and any impacted individuals.
  • Ensure that they have sufficient insurance in place and have taken the steps to mitigate any litigation exposures. Such steps often include requiring employee training, performing security audits and identifying cyber security vendors.

Organizations should review the DPA to ensure they are compliant with all aspects of the legislation.

© Zywave, Inc. All rights reserved

IT Security Is a Top Challenge for Firms around the World

Posted on by

A recent survey conducted by Protiviti and the Information Systems Audit and Control Association (ISACA), found that cyber security, privacy issues, infrastructure management and emerging technologies rank as the top IT challenges facing organizations today.

The annual survey—A Global Look at IT Audit Best Practices—gathered responses from over 1,000 IT audit professionals and focused on emerging technology, IT implementation, audits, risk assessments and hiring practices. Respondents were asked to name their greatest technology or business challenges.

The following were the top 10 responses:

  1. IT security, privacy and cyber security
  2. Infrastructure management
  3. Emerging technology and infrastructure changes
  4. Resource, staffing and skills challenges
  5. Regulatory compliance
  6. Budgets and controlling costs
  7. Cloud computing and virtualization
  8. Bridging IT and the business
  9. Project management and change management
  10. Third-party and vendor managementIn order to protect themselves and stay current on emerging risks, experts recommend that organizations continually review the IT risk landscape and adjust IT audit plans accordingly.

The survey also found that, while 90 per cent of large organizations conducted an IT audit risk assessment, only a little more than half of them did so on an annual basis.

© Zywave, Inc. All rights reserved

88 Per cent of Employees Lack Knowledge to Prevent Cyber Incidents

Posted on by

According to a recent report, 88 per cent of employees lack the understanding necessary to prevent common cyber incidents.

That report was designed to test the level of knowledge and awareness of cyber security among employees by asking them to name proper behaviours in given circumstances. The survey covered eight risk domains and assigned three risk profiles—Risk, Novice and Hero—to indicate an employee’s privacy and security awareness IQ.

Key findings from the report include the following:

  • Only 12 per cent of respondents earned a “Hero” profile, while 72 per cent were given a “Novice” profile and 16 per cent were given a “Risk” profile.
  • Almost 40 per cent of respondents disposed of a password hint using unsecure means.
  • About 25 per cent of respondents failed to recognize a sample phishing email, even though it came from a questionable sender and included an attachment.

Educating Employees

This report highlights one of the key vulnerabilities of any organization—employees’ lack of basic cyber security knowledge. Regardless of other hardware or network protections, employees can and will allow cyber criminals into an organization, often without even realizing it.

Fortunately, employee cyber training can help reduce this risk to your organization.

© Zywave, Inc. All rights reserved.

Government of Canada Endorses G7 Guidelines

Posted on by

The government of Canada recently announced its endorsement of the Group of Seven’s (G7) Fundamental Elements of Cybersecurity for the Financial Sector guidelines. These guidelines are designed to assist organizations, particularly in the financial sector, in designing and implementing a cyber security framework.

The non-binding guidelines identify eight basic building blocks for establishing a strong focus on cyber security:

  1. Implement a cyber security strategy
  2. Governance
  3. Risk assessments
  4. Monitoring
  5. Response
  6. Recovery
  7. Information sharing
  8. Continuous learning

While the G7 guidelines are aimed at business that operate in the financial sector, they are useful in summarizing basic cyber risk management practices. To learn more about these guidelines, click here.

© Zywave, Inc. All rights reserved.

Criminals Hijacked 100,000 Devices in Dyn Cyber Attack

Posted on by

Recently, Dynamic Network Services Inc. (Dyn)—a cloud-based internet performance management (IPM) company in the United States—had its server infrastructure compromised following distributed denial-of-service (DDos) attacks. Dyn said that more than 100,000 devices may have been involved in the massive cyber attack that overwhelmed its servers and produced a ripple effect, temporarily shutting down access to sites like Twitter and Netflix for the east coast of Canada and much of the northeastern United States.

How the Attack Worked

A DDoS is a type of cyber attack that hijacks multiple devices—usually through installing and spreading malware—to “flood” a specific group of servers with a multitude of requests for information all at the same time. The tactic effectively “clogs” the servers so that they’re unable to handle normal web traffic and can ultimately force them to shut down temporarily.

In the past, attacks like these would typically utilize personal computers to carry out the attack. In this case, however, it appears that the attack co-opted a number of “smart” devices—things like digital video recorders (DVRs), printers and even cellphones. Government officials currently believe that a non-state actor is behind the attack, but as the investigation is still ongoing, they have yet to definitively rule anything out.

Key Takeaways

Regardless of the source, the attack highlights a pair of troubling trends. First, this DDoS attack was one of a growing number of more sophisticated attacks. And, while Dyn—a company with robust cyber security measures—was able to restore its regular operations fairly quickly, it only did so after defeating two separate waves of the attack.

Second, and perhaps more importantly, this attack shows the potential vulnerability posed by the increasing number of interconnected, internet-enabled devices commonly called the Internet of Things (IoT). The inter-connectivity of devices on the IoT is the source of a number of benefits; however, that very same inter-connectivity offers cyber criminals an often overlooked—and potentially less secure—avenue of attack.

© Zywave, Inc. All rights reserved.

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN