On November 1st 2018, Canada implemented it’s new law on data breaches – what does this mean for you and your business? We read through the legislation and broke it down and made it as simple as possible. Here is everything you need to know on Canada’s new cyber security laws: the Breach of Security Safeguards Regulations.

When do I report a data breach?

As a business keeping personal information about their clients, it’s important to know what a breach of security safeguards even means. Canada recognizes the different ways you can protect your data: from physical measures (like locked file cabinets), organizational measures (like security clearances), and technological measures (like passwords and encryptions). A breach of security safeguards means the loss of, unauthorized access to or unauthorized disclosure of personal information caused by a breach of any of the three measures last mentioned – OR failing to implement any security measures at all. Whether the breach affects 1 person or 1,000,000 people, you still must submit a report.  There is no specific timeline you must follow to report a breach. Instead, a report shall be given “as soon as feasible” after an organization recognizes a breach[1]. If a breach to your organization does happen, you must keep record of the data breach for at least 24 months from the day your breach occurred.

Who and where do I report a data breach to?

The Office of the Privacy Commissioner of Canada is the official government office responsible for processing all data breach reports.

Here is the website for the Privacy Commissioner.

Here is the form to complete to report a data breach to the government. The form can be submitted by email, post mail or in person delivery.

If you believe the victims of the data breach are at real risk of significant harm, you must notify them of the breach. Notification to the affected individuals should be given directly by email, telephone, mail, etc. In cases where direct notification can cause more harm to the victim or the organization, a report can be made indirectly through public communication.

What does my data breach report need to include?

A report to the Privacy Commissioner must include:

  • Legal name of the organization breached
  • Contact information on who can respond to any questions the government has
  • Number of victims affected
  • When the breach occurred
  • Description of the circumstances of the breach/the cause of the breach
  • Description of the personal information taken
  • The steps on how the organization will notify the victims
  • Any measures to reduce the risk of harm to the victims

A report to the affected individual will need to include all of the following:

  • A description of the circumstances of the breach
  • The day or period the breach occurred
  • A description of the breached information
  • A plan to reduce risk for the future
  • A plan for the victims to reduce the chance of breach in the future
  • Contact information if any victim wants to request more information on the breach

With the Canadian government getting more serious about cyber security, it’s important that organizations and businesses do the same. Cyber criminals have so many different weapons to choose from to breach your data, and it’s becoming more and more important to be proactive then reactive. Lucky for us, there are strong defenses against the best weapons:

Have you been hit with ransomware, or are you scared to be the next victim? Business Continuity Solutions can help you have a plan to retrieve important data in case a ransomware attack happens to your business. Remember to never pay the ransom.

Are you scared that the recent breaches to large corporations, like Facebook and Yahoo have left you vulnerable? Dark Web Monitoring ensures that you know when your credentials are being sold online.

Are you and your employees getting a lot of phishing emails? Email Protection Services and cyber security training makes everything safer, making sure no one falls for the most intelligent of internet schemes.

If you want to learn how to stay cyber safe, Contact Us to see how we can bring your business ahead of the game!