Cybersecurity and data loss - It's not just about lost USB keys today
Download as PPTX, PDF0 likes2,713 views
The document discusses updates to Canada's cybersecurity laws regarding data breaches, highlighting amendments to the Personal Health Information Protection Act (PHIPA) and the Personal Information Protection and Electronic Documents Act (PIPEDA). It underlines the importance of breach notification requirements and the increased penalties for violations, emphasizing the need for firms to assess risks and take corrective action promptly. Additionally, it outlines the services provided by the author to help clients navigate compliance and legal challenges related to data breaches.
Cybersecurity and data loss - It's not just about lost USB keys today
- 1. Cybersecurity and data loss It's not just about lost USB keys today Dan Michaluk November 7, 2015
- 2. Cybersecurity and data loss It's not just about lost USB keys today It's not just about lost USB keys today 2
- 3. Cybersecurity and data loss It's not just about lost USB keys today Pop quiz • How many privacy statutes in Canada feature breach notification? 3
- 4. Cybersecurity and data loss It's not just about lost USB keys today PHIPA amendment introduced • Breach definition narrowed slightly – stolen, lost, used or disclosed without authority (unauthorized access gone, thankfully) • Will continue to be no harm threshold • Will require advice of right to complain • Will require notification to IPC • Fines increased from $250,000 to $500,000 4
- 5. Cybersecurity and data loss It's not just about lost USB keys today PIPEDA amendment passed (S-4) • PIPEDA breach notification a game changer • "Breach of security safeguards" – loss, unauthorized access, disclosure • When there is a "real risk of significant harm" • Notification and reporting to individual, to the OPC and to organizations in a position to mitigate • All "as soon as feasible" 5
- 6. Cybersecurity and data loss It's not just about lost USB keys today Is there a real risk of significant harm? • Secure website • 1,300 users post e-mail addresses, first and last name, residence by City, Province or Postal Code • Hacker enters and defaces site • Discovered and immediately fixed 6
- 7. Cybersecurity and data loss It's not just about lost USB keys today Is there a real risk of significant harm? 7
- 8. Cybersecurity and data loss It's not just about lost USB keys today Is there a real risk of significant harm? • E-mail sent to all customers of a client's service • E-mail addresses of others inadvertently disclosed • Population of 15,000 • Company not able to recover e-mail 8
- 9. Cybersecurity and data loss It's not just about lost USB keys today PIPEDA amendment passed (S-4) 9
- 10. Cybersecurity and data loss It's not just about lost USB keys today What we do for our clients • Governance and policy work • Compliance advice • Breach coaching • Advocacy • To the public (with communication pros) • To regulators • In court 10
- 11. Cybersecurity and data loss It's not just about lost USB keys today Dan Michaluk
Editor's Notes
- #2: Extemely important to our clients
- #3: We did our first data breach coaching gig in 2006 when one of our university clients had a 65,000 person alumni database compromised. What’s different now? Class action trend -Jones v Tsige intentional tort -Nonetheless very permissive class action law -Shocking to US counsel High profile extortion of companies -hacker are above the law -wield enormous power -are interested in organizations
- #4: -Three -PIPA in Alberta -PHIPA in Ontario -now PIPEDA federally (it is law, not in force)
- #5: Let’s take a closer look at PHIPA Reminder – PHIPA doesn't govern flow of PHI for employment purposes except through 49 – clarified this year in Hayes' vaccinate or mask decision plus in "Morris" by the IPC Here's how Bill 119 will change reporting
- #6: PIPEDA applies in the commercial sector where provinces do not have their own legislation. Applies to employees of federally regulated employers. Brand new breach notification provision. Given the breadth of application of PIPEDA, this will have a huge impact on our clients. Where it does not apply it will nonetheless have an affect because the expectation of notification will prevail. Our provincially regulated employer clients who suffer a breach, then, will face great pressure to notify because "it is the right thing to do". Two requirements (a) breach of security safeguards (b) harm threshold. “Real risk of significant harm.” Remember those words.
- #7: So is there a real risk of harm here? ….. -good facts -information is not sensitive -period was short -nothing was downloaded…. Looks like access -defacing of site (motive) -bad facts -hacker -1,300 SURVEY -in these circumstances, the Alberta OIPC found a real risk of significant harm -e-mail exposure to a malicious actor … given size of population there is a real risk of enabling spear phishing
- #8: E-mail address + basic facts about individual's relationship with an organization = spear phishing enablement
- #9: -more benign -arguably no duty to notify …. BUT!!! ….. -it is a “breach on display” -skip the analysis about reporting… you have a problem to manage via communicatoins
- #10: This is big news to clients. Needs articulation. Other big changes via 2_4 -change to fundamental rule for