Breach notification law calls for some ‘major adjustments’

The Canada-wide data breach law, which has been in effect for two weeks, is pushing businesses manage cyber risk more effectively, a computer security expert says.

The federal Digital Privacy Act makes it mandatory for clients to disclose data breaches if they pose a “real risk of significant harm.” Passed into law in 2015, DPA made several changes to the Personal Information and Protection of Electronic Documents Act.

Now it is mandatory for clients to tell the federal privacy commissioner’s office if they experience a breach of personal data, said Ahmed Etman, managing director of security for Accenture Canada, in an interview.

“It means that the businesses have to have the right procedures, the right technology, the right capabilities in place to be able to identify and quantify and nail down the details of a breach,” said Etman. “On top of that, they also have to have the right procedure of reporting that breach to the authorities.”

If your client experiences a data breach, they would have to report this both to the privacy commissioner and to the affected individuals, unless it is prohibited by law, reports law firm Fasken Martineau.

The new law is “pushing businesses to have a more mature type of security program,” said Etman. Before joining Accenture earlier this year, Etman was general manager of cyber security for the Canadian branch of computer networking vendor Cisco Systems Inc.

Are Canadian businesses actually ready for mandatory breach notification?

“It varies significantly from industry to industry,” said Etman. With large clients, “in most of the cases they are ready, however there are major adjustments that still have to happen and major developments that still have to happen in the cybersecurity program.”

For example, one challenge clients face is finding chief security officers who are good at explaining cyber risk to board members and the C-suite.

“Many of the CSOs that have developed over the years come from that camp of the technical communities,” said Etman. But today, your client’s CSO needs to understand how the business is run and what risks it face.

“Having the ability to communicate risks to the board – this becomes a challenge that we see all over the place,” said Etman.

“Boards are getting a lot more exposure to cyber security. I cannot think of a client where the board has not said, ‘Hey how are we doing on security? I want to start understanding, what does this mean to my business? I want to understand how exposed we are.’”