Data Breach Reporting & PIPEDA
The new reality for Canadian businesses
The Personal Information Protection and Electronic Documents Act or PIPEDA applies to the collection, use or disclosure of personal information by every Canadian organization in the course of a commercial activity.
The Office of the Privacy Commissioner of Canada introduced new data breach reporting requirements that came into effect on November 1, 2018. This requirement was introduced due to “The number and frequency of significant data breaches over the past few years” and the “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manager personal information” according to Commissioner Daniel Therrien.
The reporting requirement works in conjunction with the Privacy Act for the Federal Sector and the Personal Information Protection and Electronics Document Act (PIPEDA) for the private sector.
This new requirement applies to allow business within Canada and those that organizations that collect the personal information of Canadians.
With this new requirement, organizations must:
- Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
- Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
- Keep records of all breaches of security safeguards that affect the personal information under their control; and
- Keep those records for two years.
The definition of real risk of significant harm is humiliation, damage to reputation/relationship, and identity.
While the requirement refers to the reporting of a data breach, it also identifies the need to improve the security posture of every organization to ensure that the likelihood of a breach is minimized. There are numerous traditional security tools that are designed to protect our network such as firewalls and endpoint protection, however given the number of breaches that have occurred it is evident that they are not enough – organizations need to be proactive and vigilant. This requires a tool that is designed to review all activity within the organization as well as provide the ability to compare that activity day to day, such as an SIEM or analytics tool.
Where Snare Comes In
The Snare Product Suite by Prophecy has been designed to provide clear, concise and accurate reporting of all activity within your network.
Snare Agents are feature-rich, reliable, lightweight log programs that can be installed on Windows, Linux, Solaris and OSX, plus two agents for text-based logs, as well as the MS SQL agent, and then send in near – real time the events/activity on your devices.
Snare Server provides for data collection and reporting in real time, providing critical information required to monitor your organizations network infrastructure. Additionally, it provides for the ability to store and retrieve event data for historical review.
The Snare Analytics product provides organizations with a single pain of glass to review activity over time, check that systems are patched to prevent attacks from out of date software, unusual activity, escalation of or improper use of admin privileges which will allow you to identify and responds to a potential breach before it escalates.