Everything You Need to Know About a New Canada Data Breach Notification Law — and How CSPi Can Help Improve Compliance
Past CSPi blog articles have provided a closer look at various data privacy regulations, and now there’s yet one more that you should be aware of. On November 1, 2018, a new Canada data breach notification law went into effect, requiring businesses to record all breaches and notify Canada’s Office of the Privacy Commissioner as well as those affected by breaches, of incidents that “pose a real risk of significant harm to individuals” (their words).
As we’ve noted in blogs before, this type of requirement follows similar laws in place, not only in other Canadian provinces but also at the international level, by following the precedent set by GDPR.
Yet it is important to note that, unlike some European regulations, Canada’s new data breach notification law does not shift data breach responsibility to outside vendors if a breach occurs. Instead, it pushes the obligation to the companies themselves to make sure they have adequate controls in place.
What does this new Canada data breach notification law mean for you?
Even if you are not a Canadian company or do business in Canada, it is still worth thinking about its implications and your overall security strategies. Especially since these new requirements are likely to be part of a regulation that does affect you, and may influence better security practices.
For example, the new Canada data protection law requires the recording of all breaches, even if a minor breach doesn’t meet the “real risk of significant harm” threshold. Yet, as we’ve described before, it’s impossible to record a breach unless you know it’s happening, and the vast majority of breaches are not discovered until weeks or months (or longer!) after they happened. Traditional security approaches make it difficult, if not impossible, to comply with this requirement.
Even still, this regulation calls for a minimum amount of recordkeeping that must include the date or estimated date of the breach, the nature of the breach, a general description of the incident’s circumstances, and whether or not it was reported (both to Canada’s privacy commissioner and affected individuals). Companies must keep these records for two years.
The Canada data breach notification law also requires that the record contain sufficient details about the breach. This information is needed to let the privacy commissioner assess whether the organization has correctly applied the “real risk of significant harm” standard, and in turn, met its obligation to report breaches.
This information could include a brief explanation of why the organization determined that there was no real risk of significant harm. This highlights the need for a security solution that can prove that the data was encrypted, record all evidence of the breach, and perform very focused forensic analysis.
A better way to achieve compliance with the Canada data breach notification law
At CSPi, we understand the need for this information and have developed our solutions to give companies the tools and capabilities needed to improve compliance.
Our ARIA Software-Defined Software (SDS) solution provides complete security of high-value data and other critical assets no matter where they are stored, used, or accessed. This approach of focusing on PII data is a departure from typical breach prevention and detection solutions. With ARIA SDS, all data traffic is monitored as it moves through the network, including east-west traffic. This enhanced network security capability is important because of the fact that up to 80% of east-west traffic may be unmonitored as most security tools are set up to inspect north-south traffic.
Going further, ARIA SDS also provides automatic policy enforcement, ensuring not only that data is protected but that applications are accessed by only those authorized to do so; however, if unauthorized access is detected, it is immediately flagged for investigation.
In addition, our Myricom nVoy Series pairs seamlessly with ARIA to provide the reporting needed to prove compliance with regulations like the Canada data breach notification law. With our 10Gb recorder, security teams can take advantage of packet-level recordings of all conversations between critical devices and data. With full line-rate packet capture with zero packet loss and extremely accurate timestamping, this technology provides the data needed to have complete visibility into the possible effect on critical data, such as PII or PHI. It delivers automated breach verification and notification using intrusion alerts generated by a company’s existing security tools. With this information in hand, the nVoy Series enables security teams to complete tightly focused breach investigation in mere hours — not days, weeks, or months — a dramatic improvement in breach response.
These capabilities help comply with the requirements of the new Canadian data breach notification law and many others. For example, the new Canadian law requires notification to affected individuals “as soon as feasible” after the company determined a breach occurred. While the law doesn’t provide a specific timeframe — a compliance inconsistency and challenge we pointed out in our Data Privacy Regulations eBook — it seems that this is designed to give companies time to thoroughly detect what information was hacked.
While this is intended to give companies the right amount of time to research what happened before reporting it, such ambiguity could lead to possible compliance issues down the road. For example, companies may believe they have more time that the regulation intended.
Again, the Myricom ARIA SDS platform and nVoy Series could help avoid such an issue. It provides auditable proof of the exact impact of the data breach, including when it started/ended, what devices were affected, what critical databases or files were accessed, and more — all can be completed within hours of a verified breach.
With CSPi solutions, organizations are successfully accelerating incident response times and improving their breach response capabilities and ensuring compliance with increasingly stringent data privacy regulations, including the Canada data breach notification law.
Interested in learning more? Visit our nVoy Series page or download our How-to Guide: Successfully Complying with Data Privacy Regulations today.
Originally published at cspi.com/blog on February 28th, 2019.