Changes to Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect November 1st. This regulation extends beyond the Canadian border to those companies doing business with (or ‘controlling data’ of) Canadians in most provinces. There are several stipulations about how data is handled, and most important to the people reading this will be those about data breaches. Note that the government specifically calls out that the regulation applies to small businesses. Below, we describe how our MDR clients are a step ahead, with three ways we can help organizations deal with these new regulations.
Fewer Breaches to Disclose
One of the new stipulations within PIPEDA (detailed here) is that organizations are required to report breaches involving personal information under their control. Note that disclosure is required only for breaches for which there is a Reasonable Risk of Significant Harm (RRoSH) to those impacted. Ultimately, this is designed to reduce the fallout of a breach (e.g., personal data being revealed).
Our Managed Detection and Response (MDR) service helps prevent breaches in the first place, by detecting suspicious behaviour and other indicators of compromise (IOCs) that signature-based technologies may have missed – and responding to them. We achieve this through a combination of dedicated Threat Hunters who are proactively looking for threats, rigorous processes in place for them to leverage, and our proprietary technology stack enabling them to prioritize and respond to the most relevant ones first.
So, you can mitigate the risk of fallout by detecting and responding to threats before any data is exfiltrated; thereby removing the need to report the breach.
Greater Visibility/Information to Report
Another stipulation: you must retain records of all breaches, whether there is RRoSH or not, for two years from when you discover them.
ActZero offers three ways to provide your business with visibility into breaches that occur. First, meta-data about indicators of compromise (IOCs) are retained centrally on our platform while we deem them useful. This is more about equipping our threat hunters to protect you and conduct investigations than about reporting.
Second, logs from your endpoints and prevention technologies (such as firewall and anti-virus) are stored on a virtual machine (VM) within your environment. Depending on your business and regulatory needs, and how much storage you allocate, you can store as many logs as you require.
Finally, incidents are documented in our ticketing system. We track what happened and when, the steps we took to address the problem, and what (if any) implications there are for your systems, users, or data. Additionally, we provide you with a report each month on the vulnerabilities that exist within your environment; prescriptive actions, prioritized so that you can proactively address the issues.
You can see for yourself that the information we provide aligns to the expectations of the Privacy Commissioner, detailed below from government resources:
- date or estimated date of the breach;
- general description of the circumstances of the breach;
- nature of information involved in the breach; and
- whether or not the breach was reported to the Privacy Commissioner of Canada/individuals were notified.
An Expert to Consult With
The third way that ActZero’s MDR service can help your business deal with regulatory issues is through engagements with a Virtual CISO, for as many hours as you choose to invest in per quarter. The Virtual CISO is a qualified and experienced resource that can advise you on business, information, systems, technology, to help you build the policies, framework, and KPIs you need to reduce risk and comply with regulatory bodies. To learn more about vCISO see our post here.
If you have further questions about how ActZero can help your business, you can comment below or reach out to us now.
For your reference, the Privacy Commission's resource about mandatory reporting of breaches of security safeguards.
Related Content: Check out our other Regulatory Compliance posts!