Canadian privacy laws

Illustrated by Dorathe Victor

The Personal Information Protection and Electronic Documents Act (PIPEDA) is well-known if you are an organization based out of Canada. In place for more than 20 years, it sets out rules for how businesses should collect, use, and disclose personal information while dealing in commercial activities. Some pieces of personally identifiable information (PII) that are protected under PIPEDA are name, age, ID number, income, ethnic origin, blood type, and more.

However, in November 2020, the government of Canada proposed the Digital Charter Implementation Act to strengthen privacy protections for Canadians. The act will create the Consumer Privacy Protection Act (CPPA), which would repeal parts of PIPEDA. If or when it’s passed, companies in Canada need to comply with the new regulations. But there’s no reason to wait as both PIPEDA and the CPPA have the same mission and it’s best to have your bases covered in an increasingly digital world.

What happens if there’s a privacy breach?

PIPEDA requires organizations to report if the breach poses a real risk of significant harm, which includes identity theft and compromised passwords. Non-compliance with PIPEDA can cost up to $100,000 depending on the severity of the violation, while the CPPA proposes a maximum penalty of $25,000,000 or 5% of the gross global revenue of the previous financial year, whichever is higher.

Data breaches: Center stage in 2022

Data is the new gold, and remote work has left businesses more vulnerable than ever on the endpoint security front.

In March 2022, data extortion hacking group Lapsus$ made headlines when it shared screenshots claiming to have breached an identity and access management organization. The organization admitted to the breach and stated that around 366 of its customers were impacted. Around the same time, a tech giant also acknowledged that it faced a breach by Lapsus$, where one of its employees’ accounts was compromised.

According to a Grant Thornton survey, the Communications Security Establishment said it’s aware of 235 ransomware incidents against Canadian victims from January 1, 2021 to November 16, 2021. The survey also revealed that more than half of those targets were critical infrastructure providers, including those in the energy, healthcare, and manufacturing sectors.

“What I’ve noticed in Canada is a lot of organizations say ‘It’s not going to happen to me.’” – Peter Morin, national cybersecurity leader at Grant Thornton Canada

In another August 2021 survey conducted among 510 security decision-makers across Canada, 17% of respondents said they experienced a ransomware attack in the past 12 months, and 69% of those affected paid a ransom.

Such data breaches are sure to cause a dent in the organization’s reputation, impacting customers’ and prospects’ interest in doing business.

How could such breaches be mitigated?

While an organization can take advantage of a range of cybersecurity solutions, below are some of the basic measures to put in place.

1. Bolster endpoint security

The adoption of BYOD policies at workplaces has made monitoring and managing endpoints a major challenge for IT teams. Enabling a strong multi-factor authentication (MFA) system is the first step. It comes as no surprise that attackers such as Lapsus$ leverage weak MFA factors like simple push notifications that can be intercepted via SIM swapping. Instead, number matching in MFA could mitigate such threats. The Office of the Privacy Commissioner of Canada (OPC) has also listed some more guidelines.

2. Implement a fool-proof identity and access management protocol

The principle of Zero Trust is now more important than ever. Organizations must implement the principle of least privilege and just-in-time access to ensure that the right individuals get the right level of access to only the resources they need.

3. Leverage real-time threat detection tools

With the sheer number of potential attack vectors, a real-time threat detection tool is indispensable. Organizations should leverage UEBA and ML algorithms to identify anomalous behavior and help preempt data theft.

4. Create a reliable network security perimeter

An attack that compromises an organization’s network can also expose sensitive information including PII, ePHI, and transaction information to malicious actors. Log analysis capabilities help monitor the internet usage of all employees, including staff connecting outside the network through a VPN. Real-time security and traffic anomaly alerts also help detect zero-day network intrusions and DDoS attacks.

5. Have an endpoint data loss prevention strategy

Organizations must identify files containing PII across endpoints, containerize them to trusted apps, and ensure data exchange occurs only via trusted domains. They must also closely monitor specific user actions and stop attempts at data theft now that phishing attacks are commonplace.

Why is data privacy more important than ever for Canadian organizations?

According to a 2021 OPC survey on privacy-related issues, 87% of Canadians expressed some level of concern about protecting personal privacy.

With the continued move towards a digital workplace, privacy laws are getting more stringent. Organizations that are agile and adopt a proactive rather than reactive approach to data breaches will be resilient in the continuously evolving threat landscape.

Sairam T A
Regional Marketing Specialist