On November 1st, 2018, the Breach of Security Safeguards Regulations come into effect for Canadian organizations from coast to coast. At least, for those who have personal data, commercial transaction or customers across Canada. Is that most of you? Thought so!
ActiveCo has kept in contact with the Innovation, Science and Economic Development Canada (the writers of the incoming legislation) throughout our entire compliance preparation process, tailor-made for the new requirements to ensure our clients are ready for the deadline.
We are often confronted with the same questions and assumptions so, we are posting a few here that we have spot-checked on your behalf: Enjoy!
Fiction: There will be a grace period.
Fact: the grace period actually started back in 2015 and ends on November 1st, 2018. When the government introduced us all to the Digital Privacy Act, their expectation was that organizations would begin taking steps towards compliance. Most did not. If you are still reading, you probably did not.
Fiction: “We budget for fines”.
Fact: Not this kind of fine. Infractions could cost up to $100k per record. That means if one record of personal data (that means any personal information that is not Name, Title, Business Contact Info) is breached, that one record is $100k. Hackers rarely work as hard as they do to obtain one, single record. Therefore, multiply 100 by however much data you have and there’s your magic number.
Fiction: We have security, anti-virus, we’re all good.
Fact: The security safeguards required to be in place for the new legislation is far above and beyond what many businesses are used to. Simply having a firewall will not cut it (actually, it doesn’t cut it before the legislation, so, maybe you should call ActiveCo..?). If your organization is ever found to have not taken steps to have appropriate security put onto your business networks, you may be subject to these very fines, regardless of whether or not a breach ever happened.
Fiction: We don’t collect information, so there is nothing at risk
Fact: Every business has information on individuals beyond their Name, Title, Business Contact Info. That “personal information” includes home addresses, birthdays, pictures posted online and way more.
Fiction: We’re too small to bother
Fact: No organization is too small to bother, so long as you have personal data (described above) and perform commercial transactions within Canada, you will want to take steps to pursue compliance prior to November 1, 2018.
Fiction: We’ve never been hacked (…and we never will be hacked!)
Fact: The opposite of that statement. Odds are good that a breach of some kind has occurred, be it an email that was clicked on, or someone in Department A knowing information from Department B that they shouldn’t be privy to. The base expectation of the new compliance legislation is that organizations must have proper security safeguards in place, as well as consistently monitoring all breach attempts.
The incoming regulations will be impactful for the rest of our lives, requiring organizations everywhere to take a new, hard, look at how they transact business and treat their data. Other organizations will want to ensure they are working exclusively with those who also took the time and energy to pursue compliance. Job-seekers will want to work with companies that respect and protect their personal information. Governments will continue to spot-check to ensure organizations are providing those environments for their clients, prospects and employees.
Need more information? Reach out at 604.931.3633 or book a consultation today!