What to expect from the upcoming mandatory data breach notification laws and key actions to reduce the impact in case of a breach.
Cyber security rules and expectations are changing. Since the passage of the new Digital Privacy Act (Bill S-4) in June 2015, mandatory breach notification clauses are widely expected to be enacted in the fall of 2016 and likely to come into force in 2017. While the content of the mandate may leave room for interpretation, it is clear that Canadian organizations will soon face higher costs, rigorous regulatory requirements and heightened risks.
In this article, we explore the five expectations from an organization that experiences a data breach according to the new Digital Privacy Act. We also look at the importance of maintaining an optimal cyber-defensible position and the key in taking action to reducing the impact of a breach.
Legislation is not the only factor raising the risk level around cyber breaches for Canadian organizations. Not only that hackers have become more sophisticated - cyber criminals have evolved and aren’t just focusing on financial information. Breach trends show an increased focused on Personally Identifiable Information (PII). Consumer expectations have also changed and accepted industry ‘good practices’ to proactively protect and efficiently recover and notify victims after a breach are only expected to increase. These all contribute to the expected increase of fines, costs and reputational damages on the back of new legislation and heightened expectations.
We believe that organizations will need to go beyond the letter of the law if they hope to properly manager their risks. Cyber security expectations will continue to change and organizations will need to remain vigilant – of the threat and of public expectations – to survive.
© 2018 KPMG LLP, a Canada limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.