☰ Navigation

1-888-643-2217 Email ABEX
Keeping you updated

Category Archives: Cyber Liability

PIPEDA Privacy Act Amendments Now Law in Canada

Posted on by

Privacy-iStock_000016948956XSmallSummary

The long awaited amendments to The Personal Information Protection and Electronic Documents Act (PIPEDA), called the Digital Privacy Act,  received Royal assent on June 18, 2015. Bill S-4 is now law in Canada.  Although Cabinet has not yet proclaimed the Act’s breach reporting provisions in force, Canadian businesses should be preparing to comply with them.

An Organization’s Obligations

There are now three breach reporting requirements “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” as follows:

  1. Reporting to the Privacy Commissioner;
  2. Reporting to the individual;
  3. Reporting to agencies that can reduce harm to the individual.

Significant Harm

In this context significant harm is now broadly defined and “includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.

Consequences for non-Compliance

The Commissioner’s office may disclose information about an organization’s personal information (PI) management practices to the public if it believes disclosure to be in the public interest. The Commissioner’s office can enter into compliance agreements with organizations that it believes are, or may be, subject to breaches. Anyone who knowingly contravenes these requirements is subject to a penalty of up to $10,000 on summary conviction or $100,000 on indictment.

What does this mean in the context of cyber risk management?

It is now a requirement of Canadian organizations to report cyber breaches which may cause “significant harm” as described above to report them both to the Privacy Commissioner and to the individual(s) affected. They may also be required to notify other organizations, such as law enforcement, should damage caused by the breach potentially be mitigated.

More than anything else, this development will substantially increase awareness of the extent cyber breaches involving personally identifiable information are occurring in Canada. As a result organizations of all sizes and sectors will now be more likely to take this important subject much more seriously. Not only may financial penalties be levied, considerable damage to the organization’s reputation may result as a result of public notification and disclosure.

Doug Blakey B. Math
President, Watsec Cyber Risk Management (watsec.com)
and Director, Canadian Centre for Cyber Risk Management (C3RM) (c3rm.org)

Tailoring a Cyber Policy to Your Business

Posted on by

Hazards to insureCyber insurance is relatively new to the insurance market, which can present some challenges for both businesses and insurers. To date, there are no official industry standards for cyber insurance, but there have been major strides made in recent years to establish some regulations.

Due to the breakneck pace of the technological evolution and increasing pressures to digitize data, most businesses are left vulnerable to cyber attacks. The best way to protect yourself and your company is to conduct a risk assessment and identify any gaps in your coverage. Here are a few things worth looking for:

Understand the coverage that you have, and the coverage that you don’t. Many people might make the mistake of assuming that a commercial general liability (CGL) policy covers losses in the event of a cyber attack. However, assumptions like that can be costly, as many CGL policies specifically exclude electronic data. Take the time to review your current coverage and identify any exclusions that might leave you vulnerable.

Understand your company’s specific needs. Companies vary in their use of and dependence on data. For instance, customer data held by financial businesses is comparatively more valuable to criminals. Other companies, like online merchants, may potentially suffer greater losses as the result of an attack that crashes a website or interrupts service. Different policies have different limits, sublimits and exclusions for different kinds of losses, so it’s important to work with an expert who can find exactly where your liabilities lie and what kinds of coverage you need.

Consider retroactive coverage. Unfortunately, cyber breaches often go undetected for a long time. As a result, a policy that only offers coverage to the date of inception might leave you vulnerable to a cyber attack that hasn’t yet been discovered. To mitigate your liability as much as possible, get coverage with the earliest possible retroactive date.

Obtain coverage for third-party vendors. Many businesses outsource their data processing or storage to a third-party vendor. This is a smart move, especially if you aren’t equipped to handle the IT side of your business. Unfortunately, it may leave you liable for damages if the actions of that third party are responsible for a breach. Make sure you have coverage for the actions or omissions of third parties with which you do business.

 

 

© 2015 Zywave, Inc.

Small Businesses Most Vulnerable to Cyber Attacks

Posted on by

Network security crashAccording to a recent survey, 81 per cent of small business owners think that cyber security is a concern for their small businesses, while 94 per cent either frequently or occasionally think about cyber security issues.

Surprisingly, only 42 per cent of respondents had invested in cyber security protection in the past year, despite the fact that 31 per cent of these businesses had experienced either a successful or attempted cyber attack.

It’s possible that small business owners might simply be spreading themselves too thin. About 83 per cent of small business owners said that they handle cyber security themselves. But given the threat, it was surprising to discover that 95 per cent of small business owners don’t have cyber insurance.

 

© 2015 Zywave, Inc. All rights reserved.

Physical Protection of Cyber Assets

Posted on by

Cyber attacks aheadWhen it comes to securing cyber assets, many people often think of only mitigating cyber risks like spam, phishing and malware. However, cyber assets can also be compromised physically. This article examines the physical exposures your cyber assets face and provides steps for mitigating these risks.

Secure company facilities.

The physical security of a facility depends on a number of security decisions that can be identified through a comprehensive risk management process. It is easy to think about physically securing your company’s facility as merely an exercise in maintaining control of access points and ensuring there is complete visibility in areas that are determined to be high-risk—either because of the threat of easy public access or because of the value of information located nearby. However, maintaining facility security also includes the physical environment of public spaces. For instance:

  • Employees whose computers have access to sensitive information should not have their computer monitors oriented toward publicly accessible spaces such as reception areas, check-in desks and waiting rooms. Employees should be trained to not write out logon information on small pieces of paper affixed to computer equipment viewable in public spaces.
  • Easy-to-grab equipment that could contain sensitive or personally identifiable information (PII), such as laptops, tablets and mobile phones, should be located away from public areas. If you have an environment where employees are working in a waiting room or reception area, train them to not leave these types of devices out on their desks unsecured.
  • Consider using cable locks as an easy way to increase security for laptop computers. Most laptops feature a lock port for a cable that can be connected to the user’s desk. Be sure to store the key to the cable lock in a secure location away from the desk to which the computer is locked.
  • If extremely sensitive information is stored on a laptop, consider installing tracking software. Most tracking software programs run unnoticed, and allow stolen computers to be located more easily. Many also allow administrators to wipe the hard drive remotely, if necessary.
  • Consider implementing a badge identification system for all employees, and train employees to stop and question anyone in the operational business area without a badge or who appears to be an unescorted visitor.

Minimize and safeguard printed materials with sensitive information.

The most effective way to minimize the risk of losing control of sensitive information from printed materials is to minimize the quantity of printed materials that contain sensitive information. Establish procedures that limit the number of copies of printed reports, memoranda and other material containing PII.

Safeguard copies of material containing sensitive information by providing employees with locking file cabinets or safes. Make it a standard operating procedure to lock up important information. Train employees to understand that simply leaving the wrong printed material on a desk, in view of the general public, can result in consequences that impact the entire company and your customers.

Ensure mail security.

Your mail centre can introduce a wide range of potential threats to your business. Your centre’s screening and handling processes must be able to identify threats and hoaxes and to eliminate or mitigate the risk they pose to facilities, employees and daily operations. Your company should ensure that mail managers understand the range of screening procedures and evaluate them in terms of your specific operational requirements.

Dispose of trash securely.

Too often, sensitive information, including customers’ PII, company financial data and company system access information, is available for anyone to find in the trash. Invest in business-grade shredders and buy enough of them to make shredding convenient for employees. Alternatively, subscribe to a trusted shredding company that will provide locked containers for storage until documents are shredded. Develop standard procedures and employee training programs to ensure that everyone in your company is aware of what types of information need to be shredded.

Dispose of electronic equipment securely.

Be aware that emptying the recycle bin on your desktop or deleting documents from folders on your computer or other electronic device may not delete information forever. Those with advanced computer skills can still access your information even after you think you’ve destroyed it.

Disposing of electronic equipment requires skilled specialists in order to ensure the security of sensitive information contained within that equipment. If outside help, such as an experienced electronic equipment recycler and data security vendor, is not available or too expensive, you should at a minimum remove computer hard drives and have them shredded. Also, be mindful of risks with other types of equipment associated with computer equipment, including CDs and flash drives.

Train your employees in facility security procedures.

A security breach of customer information or a breach of internal company information can result in a public loss of confidence in your company and can be as devastating for your business as a natural disaster. In order to address such risks, you must devote your time, attention and resources (including employee training time) to the potential vulnerabilities in your business environment and the procedures and practices that must be a standard part of each employee’s workday.

And while formal training is important for maintaining security, the daily procedures you establish both in how you normally conduct business and in the way you model good security behaviours and practices are equally important. In short, security training should be stressed as critical and reinforced through daily procedures and leadership modelling.

Establishing procedures and training employees to physically protect your company’s cyber assets will allow for a secure work environment.

 

© Zywave, Inc. All rights reserved.

 

Preventing Laptop Theft

Posted on by

laptop_183544As more and more companies issue laptops to employees, the chances of losing a laptop (and the data stored on it) to theft are much greater. Follow these guidelines to help keep your laptops safe.

Communicate Employee Responsibility

If your company issues laptops to employees, be sure to communicate that your employees have a responsibility to care for them.

Employees’ work laptops may have their personal information on them—stored website signin information, name, address, work documents, etc.—and they may not realize it. Making employees aware that the theft of a work laptop could personally affect them can be an incentive for them to protect their computers.

It may be beneficial for you to provide a security cable lock when you issue laptops to employees. A cable lock works similarly to a bike lock—one end of the cable has a lock that goes into the laptop’s security slot and the other end is attached to a heavy stationary object, such as a desk. This type of lock works as a visual deterrent, as well, making the laptop less appealing to a thief.

Give your employees frequent laptop safety reminders and updates on new scams or theft tactics. Laptop safety is not a one-time thing—making security a habit will keep your company’s property and information safe.

Laptops That Don’t Leave the Office Are at Risk, Too

A laptop that never leaves the office should not be considered safe from theft. If the laptop is not locked to a docking station or desk, it is vulnerable.

An employee who is planning to quit or who is feeling disgruntled may see stealing a laptop as an easy score. One way to protect your company laptops is to apply tamperproof metal labels with your company name and contact information to each laptop. There are many types of tamperproof labels available, such as labels that etch a permanent message or break into tiny pieces when removed. The labels can also be used to track inventory and software updates.

Deterring theft can also be achieved by engraving the company name on laptops. This will discourage employees from stealing them, because the permanent engraving decreases the resale value.

Use Encryption Software

The physical loss of a laptop may not be as devastating as the loss of the information and data stored on that laptop.

Encryption software uses mathematical algorithms and an encryption key to encode data so that only someone who has the encryption key can read it. There are three different encryption methods you can use, based on the sensitivity of your data. Make sure you choose the right level of protection for your company.

  • Full disk encrypts an entire disk, including all its data. This method is used to encrypt laptops, desktops and mobile devices.
  • Individual file encrypts a single file or creates an encrypted repository for file storage.
  • Data transit encrypts during a transfer, but does not guarantee encryption once the data reaches its destination.

To protect the interests of your company and employees, all devices should be encrypted and require passwords for access.

Install Tracking Software

Tracking software is often called “anti-theft” software—it tracks your laptop to its current location using IP address locations, GPS or Wi-Fi positioning. A stolen laptop can be easier to recover if you’ve installed tracking software before the theft.

Some software can take a photo of the thief if the thief turns on the computer, showing his or her identity. If the thief sells the laptop to someone, capturing the new user’s identity is helpful for finding the thief.

Tracking software can also take screenshots of what the thief is doing on your computer, which is helpful if the thief signs in to his or her own personal accounts. Some software can lock the thief out to prevent him or her from logging on to your computer at all, and some software can remotely delete sensitive data from the hard drive if you tell it to.

Keep in mind that tracking software alone does not prevent theft—your employees’ actions and habits play a major role, too. Contact Precept Insurance & Risk Management today to learn more about defending your company’s laptops against theft.

 

© Zywave, Inc. All rights reserved.

Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.

ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook
Connect with us on LinkedIn

CONNECT WITH US ON LINKEDIN