Critical Updates to the Canadian Digital Privacy Act (PIPEDA)

August 9, 2018 Corey O'Connor

If you work for a Canadian business in the private sector, put down that Timmy Hortons and read this blog. The Government of Canada has a number of amendments to the Digital Privacy Act, which received Royal Assent in 2015. The changes, which officially go into effect November 1, 2018, affect multiple sections within the statute.

The scope of the changes are considerable and wide ranging, extending across many different areas including valid consent from individuals (when involving personal information), public interest disclosures, new provisions to business transactions and much more. The biggest, and arguably most important, change appears to be applied to the ‘breach reporting, notification and record keeping’ section.

Businesses now have an obligation to notify consumers – as well as third parties and other necessary business partners – with utmost haste upon becoming aware of a data breach that involves personal information. Failure to do so can result in monetary penalties, negative implications to stock price, distrust from existing customers and impact to future performance and profitability for the business. The original statute states:

“Breach of security safeguards” means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”

There is an omnipresent weakness in the arena of “authorization controls” as described in the Mandiant M-Trends 2018 report. Often, these controls are not hardened to thwart off advanced attackers. Organizations are also not doing enough to both secure privileged credentials and enforce multi-factor authentication (MFA). That same report warns, “If you’ve been breached, our statistics show that you are much more likely to be attacked and suffer another breach. If you have not taken steps to enhance your security posture, you are taking a significant risk.” There’s an industry mantra that goes something like this: “There are only two types of companies: those that have been breached and those that will be breached.”

Before You Call the Royal Canadian Mounted Police, Call CyberArk

Before widespread panic ensues, fear not. The CyberArk Privileged Access Security Solution can help your organization mitigate risk from a data breach that originates either from the inside or externally through a variety of advanced techniques. The core of our solution provides advanced monitoring and alerting to aid in the notification of affected individuals and relevant third parties involving “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals.

Another major element of the statute is the requirement to keep a record of all breaches involving personal information and provide a copy to the Office of the Privacy Commissioner of Canada upon request. CyberArk provides comprehensive and integrated reports on privileged accounts and privileged session activities. The log files are stored in a tamper proof vault to prevent unauthorized access, modification or deletion of the files. This capability reduces time spent conducting an audit and both simplifies and streamlines the process in reporting back to regulators.

Nobody Likes Bad Hygiene, Especially in Security  

Furthermore, CyberArk has developed a programmatic approach designed to help organizations protect themselves by establishing and maintaining strong privileged access security hygiene. The CyberArk Privileged Access Security Hygiene Program leverages the extensive experience the CyberArk Security Services team has gained from responding to significant data breaches, including many large Canadian organizations. These breaches have resulted from some of the most common attacks on privileged access, providing valuable insights into how attackers operate and exploit an organization’s vulnerabilities.

This mandate, alongside many other recent pieces of legislation that have come out recently, is a giant step in the right direction in the world of security. Providing people with more control over their own personal data is a good thing. Notifying said people when personal data becomes compromised is even better. If we learn from history, consider the words of Abraham Lincoln, “Honesty is the best policy.” That statement certainly rings true today in requiring organizations to be more forthcoming in the event of a breach. The updates made to the Canadian Digital Privacy Act will undoubtedly force businesses to rethink their security strategy; strengthening their security controls to mitigate risk against a personal data breach. In the end, everyone wins.

You can review the changes in this very brief announcement sent out by Her Excellency the Governor General in Council or find more details summarized here.

Be sure to reach out to your local sales representative or contact us to see how we can help support compliance with this privacy act and many others.

Previous Article
Stop ATM Cash-out Attacks by Securing Privileged Access
Stop ATM Cash-out Attacks by Securing Privileged Access

According to security reporter Brian Krebs, the FBI issued a confidential alert to banks on Friday, warning...

Next Article
How to Handle “Office Space” Moments and Move Forward with Your Privileged Access Security Program
How to Handle “Office Space” Moments and Move Forward with Your Privileged Access Security Program

One of the most well-known characters from the cult-classic movie “Office Space” is Milton Waddams, who fam...