Critical Updates to the Canadian Digital Privacy Act (PIPEDA)

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

If you work for a Canadian business in the private sector, put down that Timmy Hortons and read this blog. The Government of Canada has a number of amendments to the Digital Privacy Act, which received Royal Assent in 2015. The changes, which officially go into effect November 1, 2018, affect multiple sections within the statute.

The scope of the changes are considerable and wide ranging, extending across many different areas including valid consent from individuals (when involving personal information), public interest disclosures, new provisions to business transactions and much more. The biggest, and arguably most important, change appears to be applied to the ‘breach reporting, notification and record keeping’ section.

Businesses now have an obligation to notify consumers – as well as third parties and other necessary business partners – with utmost haste upon becoming aware of a data breach that involves personal information. Failure to do so can result in monetary penalties, negative implications to stock price, distrust from existing customers and impact to future performance and profitability for the business. The original statute states:

“Breach of security safeguards” means the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards that are referred to in clause 4.7 of Schedule 1 or from a failure to establish those safeguards.”

There is an omnipresent weakness in the arena of “authorization controls” as described in the Mandiant M-Trends 2018 report. Often, these controls are not hardened to thwart off advanced attackers. Organizations are also not doing enough to both secure privileged credentials and enforce multi-factor authentication (MFA). That same report warns, “If you’ve been breached, our statistics show that you are much more likely to be attacked and suffer another breach. If you have not taken steps to enhance your security posture, you are taking a significant risk.” There’s an industry mantra that goes something like this: “There are only two types of companies: those that have been breached and those that will be breached.”

Before You Call the Royal Canadian Mounted Police, Call CyberArk

Before widespread panic ensues, fear not. The CyberArk Privileged Access Security Solution can help your organization mitigate risk from a data breach that originates either from the inside or externally through a variety of advanced techniques. The core of our solution provides advanced monitoring and alerting to aid in the notification of affected individuals and relevant third parties involving “breaches of security safeguards” that pose a “real risk of significant harm” to affected individuals.

Another major element of the statute is the requirement to keep a record of all breaches involving personal information and provide a copy to the Office of the Privacy Commissioner of Canada upon request. CyberArk provides comprehensive and integrated reports on privileged accounts and privileged session activities. The log files are stored in a tamper proof vault to prevent unauthorized access, modification or deletion of the files. This capability reduces time spent conducting an audit and both simplifies and streamlines the process in reporting back to regulators.

Nobody Likes Bad Hygiene, Especially in Security  

Furthermore, CyberArk has developed a programmatic approach designed to help organizations protect themselves by establishing and maintaining strong privileged access security hygiene. The CyberArk Privileged Access Security Hygiene Program leverages the extensive experience the CyberArk Security Services team has gained from responding to significant data breaches, including many large Canadian organizations. These breaches have resulted from some of the most common attacks on privileged access, providing valuable insights into how attackers operate and exploit an organization’s vulnerabilities.

This mandate, alongside many other recent pieces of legislation that have come out recently, is a giant step in the right direction in the world of security. Providing people with more control over their own personal data is a good thing. Notifying said people when personal data becomes compromised is even better. If we learn from history, consider the words of Abraham Lincoln, “Honesty is the best policy.” That statement certainly rings true today in requiring organizations to be more forthcoming in the event of a breach. The updates made to the Canadian Digital Privacy Act will undoubtedly force businesses to rethink their security strategy; strengthening their security controls to mitigate risk against a personal data breach. In the end, everyone wins.

You can review the changes in this very brief announcement sent out by Her Excellency the Governor General in Council or find more details summarized here.

Be sure to reach out to your local sales representative or contact us to see how we can help support compliance with this privacy act and many others.

The post Critical Updates to the Canadian Digital Privacy Act (PIPEDA) appeared first on CyberArk.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
980 Followers
About CyberArk
CyberArk is the only security company that proactively stops the most advanced cyber threats – those that exploit insider privileges to attack the heart of the enterprise. The company has pioneered a new category of targeted security solutions to lock down privileged accounts and protect against cyber threats before attacks can escalate and do irreparable business damage. CyberArk is trusted by the world’s leading companies – including more than 40 of the Fortune 100 – to protect their highest value information assets, infrastructure and applications, while ensuring tight regulatory compliance and audit requirements.
Promoted Content
7 COMMON PRACTICES THAT MAKE YOUR ENTERPRISE VULNERABLE TO A CYBER ATTACK
Advanced cyber attacks involve compromised privileged accounts. Cyber attackers target them because they represent the keys to the IT kingdom. Effective enterprise security includes proactively protecting privileged accounts. Industry experts have identified practices that increase an organization’s vulnerability to a cyber attack. How many of these are common at your organization?

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel