The real risk to SMEs from data breaches

Changes to Canadian privacy laws expose small and medium-sized enterprises (SMEs) in Canada to potentially higher compliance costs and civil liability in the event of a data breach, according to a new report from commercial insurer Aon.

On Nov. 1, a nation-wide mandatory data breach law came into effect. The federal Digital Privacy Act requires organizations to disclose data breaches if they pose a “real risk of significant harm,” such as bodily harm, reputational damage, identity theft and potential negative effects on an individual’s credit record. Passed into law in 2015, the act amends sections of the Personal Information Protection and Electronic Documents Act (PIPEDA).

“SMEs could face potentially crippling compliance costs, not to mention the outfalls of third party actions,” said the Aon 2018 Canadian SME Insurance Guide, released Monday. “For organizations without appropriate cyber liability cover in place, responding to such a breach could be financially crippling,” the report said, noting that the regulations include fines of up to $100,000 for non-compliance.

Even if a breach does not end up being notifiable, in many cases it could be subject to civil litigation, warned Brian Rosenbaum, national practice leader with Aon’s cyber and privacy practice. “This is significant, because we are seeing Canadians becoming very litigious when their privacy has been violated.”

In addition, a breach, especially one that’s notifiable, becomes a very public event and the way it is dealt with can either make reputational damage worse or help a company retain and rebuild their credibility, Rosenbaum said.

“In crisis management situations, especially with an event such as a cyber breach, the management of public messaging by an experienced public relations firm has proven to be more successful than when a business attempts to do so on its own,” he said. “You may also need the services of a call centre to notify your customers that their information is at large, and also provide them with access to credit monitoring to ensure they don’t become the victims of fraud or identity theft.”

If it’s an extortion, the SME will have to make a quick decision about whether it’s possible to disarm the threat – or recover or recreate the data assets held hostage – or if it’s more economical to make the payment (provided you believe the extortionists will free the data).

“These costs to SMEs will exist in every cyber breach irrespective of whether the regulator takes action or any affected individuals bring a lawsuit,” Rosenbaum said.

The report said that fewer than half (48%) of Canadian SMEs rate data security as either “very” or “somewhat” important. About the same percentage (nearly 50%) have been the victims of a cyberattack.