Ontario business owners who spent the last week celebrating the tabling of Bill 47, legislation that promises to repeal most of the controversial Bill 148 (with the implementation of the equally unpopular Pay Transparency Act also due to be delayed and revised, as well), could be forgiven for missing the enactment of another important new law. Only this one comes with significant cyber and physical security implications for organizations across industries.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is new federal legislation that “applies to the collection, use or disclosure of personal information in the course of a commercial activity.” Put simply, if yours is an organization that has clients to whom it sells products or services, it falls under the Act’s jurisdiction. Exemptions exist in provinces that have privacy legislation in line with PIPEDA, but in those cases provincial laws need to be almost identical to the federal counterpart, or else the latter applies. What does this all mean? According to the Office of the Privacy Commissioner of Canada:
“Organizations covered by PIPEDA must obtain an individual’s consent when they collect, use or disclose that individual’s personal information. People have the right to access their personal information held by an organization. They also have the right to challenge its accuracy. Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again. Individuals should also be assured that their information will be protected by appropriate safeguards.”
New disclosure requirements
Perhaps most importantly, the legislation requires Canadian firms to brief customers in the event of a data breach that involves the hacking of personal information. At the same time, organizations must inform the Privacy Commission if they believe the breach carries with it “a real risk of significant harm to an individual.” The language in the new law is notably vague and unspecific. Organizations are required to have “appropriate” digital safeguards in place, even when sharing data between third-party vendors.
Penalties for non-compliance can top $100,000 per violation, so organizations are wise to be proactive and fall in line with the new rules.
PIPEDA a challenge for SMEs
Smaller businesses will likely have more difficulty complying with the law, particularly because they lack full-time IT teams or personnel to help track and protect data. Only now the financial stakes of ensuring adequate cybersecurity are significantly higher. As if the potential brand and bottom-line hit from an incident of data theft wasn’t bad enough, to add insult to injury cash-strapped companies also have to worry about Ottawa levying a steep fine when they’re at their most vulnerable.
While the new PIPEDA rules are obviously focused on the protection of data while promoting cybersecurity vigilance and protection for consumers, this is also about physical security. Why? It’s not uncommon for thieves to steal laptops or servers from an office or retail outlet, for example, then search those devices for everything from sellable business data to credit card information. Whether they actually find anything to peddle is beside the point. Because so many organizations still lack the necessary cloud- or hardware-based back up systems to protect data in case of a physical theft, losing that information to physical burglaries can be just as bad as being hacked by an online malfeasant.
An opportunity to think holistically about security
Here’s the good news: PIPEDA represents an important opportunity for organizations of all sizes and across industries to improve their security infrastructure. Without this legislative impetus, many companies would be happy to keep on carrying on, ignoring potential threats and crossing their fingers that a hacker or burglar won’t one day target their precious customer data.
It’s best to look at PIPEDA as a chance to develop a comprehensive security strategy that looks at both physical and digital security in a holistic way, analyzing potential vulnerabilities and outlining effective tools to help mitigate risk. This would also be the ideal time to consider upgrading security hardware such as monitoring and alarm systems, not to mention the crucial software that protects everything from your property’s entry points to devices such as laptops. These security components should all work in harmony and when one is insufficient, crafty criminals will be sure to take advantage to exploit weaknesses.
Is PIPEDA compliance potentially costly? Yes, but taking a proactive approach is always less expensive than trying to recover from a massive data breach. For that reason, the legislation could be just the nudge that your organization needed to stay safe and secure.
Winston Stewart, President and CEO