Once upon a time, Cyber Crime was the stuff of Hollywood and Science fiction. But recently it has affected our everyday lives. Did Russia really influence the U.S. election? Did 1 Billion people’s information get hacked on Facebook? According to the Canadian government, over 70% of Canadian businesses have been victims of Cyber attacks or breaches and the average cost of those attacks was $15,000.
We recently realized from our own client’s experience and claims that anyone who uses a computer for their business needs to think seriously about cyber insurance. The landscape is changing daily with both the cyber attacks and risks that can affect your business and the legislation around what you, as a business owner, need to do when it comes to cyber attacks.
What is Changing Nov. 1st with the New Legislation?
As of November 1st, 2018 the Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA, is changing. PIPEDA is the federal privacy law for private-sector organizations and it lays out the ground rules for how businesses must handle personal information. Starting Nov. 1st organizations will be required to do three things in the event of a cyber breach of personal information:
- Report privacy breaches to the Office of the Privacy Commissioner of Canada.
- Notify individuals about privacy breaches.
- Keep and maintain records of all privacy breaches.
Meaning, if you are a business operating in Canada, you will have to pay extra attention to safeguarding your data. Should a cyber attack impact your business, cyber insurance is designed to help respond and protect you from future threats.
Reporting Privacy Breaches to the Office of the Privacy Commissioner
If an organization determines that a breach of security has occurred and poses a risk, the organization will be required to report it to the Privacy Commissioner of Canada. In the event of a privacy breach organizations will be required to report the breach in writing and it must contain:
- A description of the circumstances of the breach and, if known, the cause
- The day on which, or the period during which, the breach occurred, or if neither is known, the approximate period
- A description of the personal information that is breached to the extent that the information is known
- The number of individuals affected by the breach, or if unknown, the approximate number
- A description of the steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate the harm
- A description of the steps that the organization has taken or intends to take to notify each affected individual of the breach in accordance with subsection 10.1(3) or the Act and
- The name and contact information of a person who can answer, on behalf of the organization, the commissioner’s questions about the breach.
Notify Individuals About Privacy Breaches
One of the most important aspects of the new legislation is to ensure the individuals affected understand the significance and potential impact of the breach. When notifying an individual you must contain:
- A description of the circumstances of the breach
- The day on which, or period during which, the breach occurred, or if neither is known, the approximate period
- A description of the personal information that is breached to the extent that information is known
- A description of the steps that the organization has taken to reduce the risk of harm that could result from the breach
- A description of the steps that the affected individual could take to reduce the risk of harm form the breach or to mitigate that harm
- Contact information that the affected individual can use to obtain further information about the breach.
Keep and Maintain Records of All Privacy Breaches
Organizations that are aware of a breach of security or cyber attack must keep and maintain a record of the breach. This includes any breach regardless of whether it poses a real risk or not. The records need to be maintained for 2 years after the organization becomes aware the breach or attack has occurred.
Penalties for Failure to Comply
Any organization that knowingly fails to report or maintain records of a breach or cyber attack as outlined by the new legislation will be subject to fines of up to $100,000.
How Will Cyber Insurance Help My Company?
There are several ways to protect your business from a cyber attack or breach. However, it can be difficult to stay ahead of the game and prevent potential attacks from occurring. Assessing your organization and understanding where potential threats may occur and what kind of information you are storing for your clients is important. For more information on how to help prevent a cyber attack checkout these 5 helpful tips. An assessment is a good place to start but adding a cyber insurance policy is the best way to protect what you cannot prevent. Here are a few of the areas a cyber insurance policy will cover:
- Costs to recover your organizatons data, and get you back up and running
- Pay ransomware or advise on how to proceed
- 3rd party costs to assist your clients who may have had their information exposed or stolen
- Investigating the legitimacy of the event
- Business interruption
Are you in need of a cyber insurance policy or want more information? You can call us directly at 1-800-361-0941 or fill out a quote and have one of our cyber insurance experts make sure you have the proper protection in place.