Who are the ‘right people’ to respond to cyber incidents?

Properly-trained employees are critical to managing cyber risk, especially with the nation-wide breach reporting law taking effect this fall, brokers and risk consultants told insurance professionals at a recent conference.

On November 1, several new sections – including one mandating privacy breach reporting – of the federal Personal Information Protection and Electronic Documents Act take effect.

The section on mandatory breach notification was originally passed into law, with Bill S-4, the Digital Privacy Act, in 2015.

The Digital Privacy Act stipulates that an organization having a breach of personal information under its control must report that breach both to the federal privacy commissioner and to the affected individuals if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.” This means a rule that already exists in Alberta under provincial law will apply Canada-wide.

Failure to comply can, in essence, result in a $100,000 administrative monetary penalty for every affected person it fails to notify.

This means organizations will “have to make a self reporting call,” said Brian Rosenbaum, Aon Canada Inc.’s senior vice president and national cyber and privacy practice leader, on April 12 during the International Cyber Risk Management Conference.

“That is a decision that has to be made fairly swiftly and you have to have the right people at the table to do that,” Rosenbaum said during an ICRMC session titled Resilience: What’s Insurance Got To Do With It?

This means you need both information technology professionals and a lawyer at a minimum, Rosenbaum suggested.

“Every organization is supposed to have a privacy officer,” Rosenbaum said. “Hopefully there is somebody doing that within the organization.”

Not all breaches have to be reported but making the wrong decision on whether or not to report a privacy breach “is going to create a regulatory SNAFU,” Rosenbaum said, adding it could result in a class-action lawsuit.

Other speakers at ICRMC included Alex LaPlante, managing director, research at the Global Risk Institute during a separate session at ICRMC.

What is “exceedingly important” is “proper education and training for employees around cyber issues,” she said, adding there has been an increase in methods of cyber attacks, such as phishing, malware and social engineering.

“Humans make mistakes,” Aird & Berlis lawyer Steve Tenai said during ICRMC. “Perimeter protection sounds great, is great, but you also have a couple of thousand people inside the organization who can totally make perimeter protection useless.”

Privacy breaches can happen when employees working off-site lose USB keys containing sensitive data, Imran Ahmad, a cybersecurity lawyer with Miller Thomson, told Canadian Underwriter earlier.