By Security Features • November 8, 2019

3 Lessons from Canada's Breach Notification Law

podcast-canada-privacy-law-400x250Someone better break out the birthday candles.

This time last year, Canadian businesses became subject to new regulations under the Personal Information Protection and Electronic Documents Act (PIPEDA) involving mandatory breach reporting.

The new regulations required companies to report breaches to the Office of the Privacy Commissioner of Canada (OPCC) if the breach is "involving personal information that poses a real risk of significant harm to individuals."

We heard plenty of discussion about this regulation at SecureWorld Toronto.

Now, insights are coming out of the law's first year that can help inform any organization.

1. Canadian breach law: notification numbers from PIPEDA
In the last year, the OPCC received 680 breach reports.That is six times the number of breach notifications it received during the prior year.

Here's what the office has to say about the change:

"It's a staggering increase and higher than we had anticipated given the experience of our counterparts at the Office of the Information and Privacy Commissioner of Alberta when their mandatory reporting laws came into effect.

These reports have also been revealing and have offered a clearer picture of the challenges faced by Canadian businesses."

2. Canadian breach law reveals types of breaches happening
The increasing breach notification numbers help reveal the types of security incidents occurring. Loss, theft, and accidental disclosure are some of the significant ways that breaches occur in Canadian companies, according to the data.

The biggest kind of breach, though? Unauthorized access, a category that makes up more than half of all Canadian data breaches.

Screen Shot 2019-11-08 at 10.59.24 AM

Here's what unauthorized access looks like, according to the Privacy Commissioner report:

"Employee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access. In fact, roughly one in four of the incidents reported to us involved social engineering attacks such as phishing and impersonation."

3. PIPEDA Canada report: what organizations should watch for
Data from the Personal Information Protection and Electronic Documents Act can also tell us what the threat landscape looks like for Canadian businesses and where the risks are. The report hits on third-party risk, security awareness, and more:

"Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities? Over the last year the OPC has seen each of these scenarios lead to a breach. Identify your organizations' weak points before a breach identifies them for you!"

The OPCC also urges collaboration to help increase cybersecurity:

"Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news. Don't be the next vulnerable target."

Check out the complete report: PIPEDA year one statistics


The original post "3 Lessons from Canada's Breach Notification Law"  appeared first in Secure World Expo, written by Clare O'Gara.