Co-authored by Robert Myles CISSP, CISM and Kevin McPeak CISSP, ITILv3
Data breaches in Canada have accelerated alarmingly in recent years, placing the security of Canadian citizens and the country’s economy at risk. In June 2015, the Government of Canada passed the Digital Privacy Act (DPA), which amends and updates existing federal privacy legislation. The DPA governs how private sector organizations collect, use, and disclose personal information in the course of commercial business. The intent of the DPA is to encourage Canadian organizations to properly safeguard any private data they collect on their customers, members, employees and/or donors. It is also an effort to restore confidence in Canada’s digital ecosystem among Canadians who have become increasingly alarmed about the frequency with which private information has been compromised or mishandled. The DPA requires all Canadian organizations to:
- Report any security breach involving private information to Canada’s Privacy Commissioner if it is “deemed to create real risk of significant harm,” such as reputation damage, financial loss, identity theft, and/or negative effects on one’s credit record.
- Notify all affected individuals “as soon as feasible” that their information has been breached and that there is a risk of significant harm.
- Maintain records of all security breaches.
The DPA is expected to go into effect in 2017 and gives Canada’s Privacy Commissioner the authority to audit any organization and impose fines for non-compliance. Many Canadian organizations are now reassessing their cyber defense posture, technical capabilities, and overall readiness to meet this new legal requirement in order to avoid the negative consequences for non-compliance.
It has been repeatedly proven that even if you discover a data breach and report it, responding to and recovering from a breach is still costly. In Canada, the cost of remediating a single breached record averages $250. The same study pegs the total cost of a breach incident at over $5 million. This estimate takes into account lost customer business (34%), investigations and forensics (23%), auditing and consulting (10%), increased customer acquisition cost (9%), and others, such as identity theft protection fees. In Canada and around the world, the ability to prevent breaches and quickly respond when a compromise happens has become a key business imperative.
For more information on how to prepare for DPA, please visit: go.symantec.com/ca/dpa