New Breach of Security Safeguards Regulations (Canada) Come into Effect November 1st

Cyber Security
Written By Lee Vaniderstine

As we outlined in our previous post last year (here), in just over a month (November 1st 2018), the new Breach of Security Safeguards Regulations come into place in Canada.

These regulations legally require all private sector (non-government) organizations to report every cyber security breach to both the Privacy Commissioner of Canada, and all directly and indirectly affected Individuals. The Regulations outline the exact contents required, and acceptable notification methods allowed.

Contents for Report to Commissioner

  • a description of the circumstances of the breach and, if known, the cause;

  • the day on which, or the period during which, the breach occurred or, if neither is known, the approximate period;

  • a description of the personal information that is the subject of the breach to the extent that the information is known;

  • the number of individuals affected by the breach or, if unknown, the approximate number;

  • a description of the steps that the organization has taken to reduce the risk of harm to affected individuals that could result from the breach or to mitigate that harm;

  • a description of the steps that the organization has taken or intends to take to notify affected individuals of the breach in accordance with subsection 10.1(3) of the Act; and

  • the name and contact information of a person who can answer, on behalf of the organization, the Commissioner’s questions about the breach.

Contents for Report to those Affected by the Breach

  • a description of the circumstances of the breach;

  • the day on which, or period during which, the breach occurred or, if neither is known, the approximate period;

  • a description of the personal information that is the subject of the breach to the extent that the information is known;

  • a description of the steps that the organization has taken to reduce the risk of harm that could result from the breach;

  • a description of the steps that affected individuals could take to reduce the risk of harm that could result from the breach or to mitigate that harm; and

  • contact information that the affected individual can use to obtain further information about the breach.

Record Keeping

Your organization must maintain a record of every breach of security safeguards for 24 months after the day on which the organization determines that the breach has occurred.

Handling a Notification

We suggest having a Breach Policy in place that has been pre-approved by your lawyer, PR firm and your Insurance provider (if applicable). happier IT can provide your organization with a sample policy. The sample policy, or any policy, should be reviewed with, and approved, by your lawyer at minimum.

In addition every organization can and should be continually improving their cyber security. Data breaches and attacks are on the rise.  Making security a priority is a very important first step to ensuring that your business is protected.

To find out where you stand, happier IT can provide your business with a cyber security assessment. Contact us today.

More Information

We highly encourage you to read more about the Breach of Security Safeguards Regulations here: http://gazette.gc.ca/rp-pr/p2/2018/2018-04-18/html/sor-dors64-eng.html

Lee Vaniderstine
Previous

Critical Vulnerability in Remote Desktop Services announced by Microsoft (CVE-2019-0708)
Next

What is Ransomware and How to Protect your Business