Keeping customer’s personal information safe and private is your legal responsibility. Cut and dry, black and white, no joking around. By law, we are required to report any breach or suspected breach. These policies fall under the Canadian Personal Information Protection and Electronic Documents Act, otherwise known as PIPEDA. It’s a good time to address this issues as amendments were made to the law in April 2018, requiring stronger reporting rules and penalties. These new rules came into effect on November 1, 2018. Here a good time for another cut and dry statement: your business cannot afford a breach.
In this article, we’ll discuss what the new rules are, and how your company can avoid a breach.
The New Rules
As of November 1st, 2018, businesses are required to:
Report any breach, suspected breach, or potential breach or private information to affected parties;
Report any breach, suspected breach, or potential breach or private information to the privacy commissioner; and
Keep a record of privacy breaches.
A breach is a failure in security safeguards involving personal information that creates a real risk of significant harm to an individual. “Significant harm” includes bodily injury, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, adverse effects on the credit record and damage to or loss of property.
An obvious example would be giving up somebody’s credit card information – risk of financial loss; a less obvious example would be losing their home address – posing a threat of identity theft.
Obviously, no business wants to report this risk to a customer, at a minimum it would be embarrassing, but it could also result in a loss of patronage of the customer. However, if a business is found to have not reported a breach, a fine of up $100,000 could be charged per infraction.
What Businesses Can Do to Avoid a Breach
Amidst the sea of information and advice, four things stand out that will make the most significant difference. They are regular updates of computing software, encryption of devices, multi-factor authentication, and end-user training. Let’s review each of these from easiest to the most difficult.
Often, when a data breach occurs, it is because a software vulnerability hasn’t been patched. Make sure your phones, laptops, desktops, and server computers have regularly scheduled patches.
Encrypt, encrypt, encrypt. To be more specific, make sure that any device (cell phone, laptop, desktop) that could physically be stolen or tampered with, has encrypted storage.
Implement Multi-Factor Authentication
MFA (Multi-Factor Authentication) is the new security for passwords. We discussed it here a few months ago so I won’t go into detail. It essentially adds a layer of security to your username and password that is impossible to crack. It is crucial for breach protection because if somebody gives up their username and password to something like a cloud database, the remote bad guy can’t actually get in and steal your data.
End User Training
The weakest link could be your team. If you, or your organization, can’t recognize phishing (email fraud), or other forms data fraud, then it is only a matter of time before you lose money or data; and if you lose data, you’ll probably lose money too. A little training goes a long way in preventing a breach of security that results in the loss or theft of private information.
A PIPEDA breach is when your business has knowingly or unknowingly allowed an individual’s private information to be disclosed, and the individual may be at risk because of the disclosure. Nobody wants this. Breaches are bad for business.
If you need help with IT Services in Calgary, make sure to contact the experts at YellowWood IT. Small business depends on the right technology, at the right time, in the right place. At YellowWood IT, we have the requisite knowledge and purpose to help you and your small business with your technology. Get started with confidence, www.yellowwoodit.ca | (844) 387 – 0607