December 4, 2017 by Greg Meckbach, Associate Editor
This may be a prime time for brokers to start selling cyber insurance to commercial clients.
There is still no word on when Canada will have nation-wide mandatory breach notification, but a legal cyber specialist says companies should start to prepare themselves by looking for cyber insurance now.
Four months before they were tossed out of office in 2015, then Prime Minister Stephen Harper’s Conservatives passed the Digital Privacy Act. This law made some changes to the Personal Information and Protection of Electronic Documents Act (PIPEDA). But the Digital Privacy Act’s regulations mandating breach reporting and recordkeeping have yet to be finalized.
The federal innovation, science and economic development (ISED) department has published draft regulations and comments “will be analyzed to determine whether and how changes to the draft regulations are warranted,” an ISED spokesperson wrote Monday in an e-mail to Canadian Underwriter. ISED plans to work with the federal justice department on another version of draft regulations that Cabinet will then consider.
“Given the several elements that may impact timelines, a more precise estimate of when final regulations will be published is not possible to provide,” the ISED spokesperson wrote.
What is clear is that once the rules are in place, if a data breach were to create a “real risk of significant harm to an individual,” that individual would have to be notified, notes Bradley Freedman, national leader of Borden Ladner Gervais’ cybersecurity law group.
To cover the costs of complying with the yet-to-be passed regulations, all organizations “should definitely be looking at whether there is cyber insurance suitable for them, for sure,” Freedman said Monday in the interview. “Even if the decision ultimately is, ‘We are going to self-insure,’ that decision ought to be made in an informed way based on an assessment of the kinds of insurance products that are out there, the premium” and a risk assessment.
Freedman added “significant harm” could include identify theft, financial loss and humiliation, among others.
The regulations “will require organizations to maintain sufficient information in a data breach record to demonstrate that they are tracking data security incidents that result in a breach of personal information,” the federal government said Sept. 2 in a regulatory impact analysis.
“If there is no risk of harm, you still have to keep the records of the breach,” Freedman told Canadian Underwriter Monday. “When the privacy commissioner says, ‘Let me see all those records, please,’ you’ve got to do it. And if you don’t keep the records, and if you don’t do the breach notification, you are subject to administrative monetary penalties of up to $100,000.”