Businesses of all types store customer data. Some store only minimal information like email and home addresses. Those offering professional services might store client corporate, proprietary, tax and legal details, and reports. Others may handle important health-related information every day.
Threat actors are increasingly motivated and capable of obtaining and monetizing sensitive data. Given trends toward service-oriented economies and the information digitization that goes with it, it's never been more important to know where data is and how it's protected.
What is mandatory breach reporting?
Mandatory breach reporting is becoming a legal and regulatory requirement in many jurisdictions around the world. This post will dive into Canada’s implementation of this concept, but the concepts will be similar or the same as the requirements where you're located.
Mandatory breach reporting requires that businesses can thoroughly explain what happened if a security incident occurs. In order to do that, however, it first means that businesses understand where and how client and third-party data is stored.
Regulators, lawmakers, and your customers expect that you take reasonable steps to protect personal and protected information. This means not only preventing unauthorized access to that data but also detecting and explaining the unauthorized access if it does occur.
This is easier said than done because protected client information may be distributed across many locations:
On internal on-premise databases
In cloud systems
On individual desktop or server systems
Another challenge? Basic security tools and processes rarely provide forms of threat detection or post-incident support and data. Being able to identify threats and vulnerabilities on your network, or review events meaningfully after an incident, is not part of most baseline IT packages or configurations.
Canada’s mandatory breach reporting laws
In Canada, there are several pieces of legislation about the importance of protecting sensitive data held by third parties. Most notably is the Personal Information Protection and Electronics Documents Act (PIPEDA). Virtually all organizations that handle Canadians data are subject to PIPEDA.
In late 2018, new regulations came into force in Canada related to mandatory reporting of breaches of security safeguards. All organizations subject to PIPEDA were impacted by these regulations. Prior to this, some parts of Canada already had similar or complementary provincial requirements.
Businesses that experienced a data breach were now obligated to:
Conduct a risk assessment to determine if the breach poses a real risk of significant harm to any individual whose information was involved in the breach.
Notify affected individuals and report to the Privacy Commissioner of Canada as soon as feasible if the breach posed a real risk of significant harm.
Notify any other organization that may be able to mitigate harm to affected individuals.
Maintain a record of any data breach that they became aware of and provide that to the Commissioner upon request.
Terminology such as "real risk of significant harm” and the concept of “security safeguards” are relatively non-specific. That said, the Privacy Commissioner of Canada has published some helpful tips and steps to consider. Nevertheless, the obligations and process for reporting a breach are quite clear.
Mandatory breach reporting requirements
Following an incident, the victim organization must report:
The number of individuals affected by the breach
When the breach occurred (start and end)
A description of the breach, including “how and why” the breach occurred, when it was discovered, and who may have had access to the personal information
A description of the relevant security safeguards in place at the time of the breach to prevent the type of incident
A description of the steps taken to reduce the risk of a similar event in the future
Steps taken to notify the individuals who were affected
All organizations strive to avoid being affected by a cyber security threat, and even some of the best-protected and best-resourced organizations are still affected by compromises and data leaks.
It can happen to any organization. Thinking forward to a potential incident, would you be able to:
Reliably identify the start and end of a compromise, or are you relying on third-party notification to notify you that customer data was found on the Internet? What systems are gathering this data for you and where is it kept?
Scope the size of a compromise, including how much data was lost?
Express what security safeguards are in place to protect that data and identify a compromise? Are they adequate? How do you know? Is your team properly equipped and supported?
Highlight what processes and plans are implemented to evaluate threats and vulnerabilities to the personal data you manage?
Having thoughtful answers to these questions will help manage a cyber security incident, and likely limit the scope of reporting requirements.
For example, if an unknown threat had unknown access for an unknown amount of time, the conclusion may be that all client data over all time is presumed to have been lost. In contrast, a clear statement showing only a single, non-customer data handling account was compromised for a two-day period would be considerably different.
Incident reporting aside, preparation and protection against cyber threats will demonstrate to your customers that their data privacy and security are being taken seriously.