Blog / Oh, Hack! – Mandatory Breach Reporting Rules Review
Canada has now had Mandatory Breach Reporting Rules in place for about the past year and a half.
Yup, that’s what I said: “Mandatory Breach Reporting.” At least when it comes to personal info; so, anything covered by PIPEDA, really.
Thus, what have we learned so far? Well, in the past year, 28 million Canadian identities have been impacted by one breach or another. The total population of Canada is 37.5 million; 28 million is 75% of that.
THAT’S IN ONE YEAR!! There have been enough identities breached to impact 3 out of every 4 Canadians (regardless of being an adult or child, age, etc.)!!
When I say “identities” I’m talking about the total number of records for each breach. Going through all of them and figuring-out duplicates to get the real number, would be a massive amount of work. It doesn’t really matter, as the number is simply staggering!
After the mandatory breach reporting rules went into effect, the Office of the Privacy Commissioner saw a massive increase in the number of breach cases that were reported. 680 cases were informed about in the first year of these rules (vs about 100 in the previous years.) It seems unlikely that this upsurge was caused due to a change in attackers’ activity. The most likely cause for this increment is that reporting is now a requirement. Before, most breaches went unreported and possibly, undetected.
Here’s a breakdown on those 680 breaches, to see what happened. It works-out to four broad types:
Unauthorized Access – More than half of these cases are due to ‘Unauthorized Access.’ This includes an attacker pulling the data out of your network and internal employees snooping-around where they shouldn’t have access. Someone who shouldn’t have had access to the information was able to obtain access to it for one reason or another.
Accidental Disclosure – About 25% of the breaches were due to various ‘accidents.’ This includes things like forgetting to use email BCC, sending info to the wrong person; that sort of stuff. Whatever the situation was, data got sent to the incorrect destination(s.)
Loss – This would be something like losing track of a laptop, a file, USB, etc. Something physical with data on it or in it was lost track of. Even if though there was no evidence of theft. the fact that important data was lost means this is considered a breach.
Theft – Theft is very much like the lost category. The difference is that in this case the loss of the data can be reasonably-traced to an intentional theft of a device or material. Information was physically stolen, which could mean files from a filing cabinet, data copied onto a USB drive and removed from the facility, backup drives/tapes removed; that kind of stuff.
The most common problem is information being accessed by unauthorized parties (internal and external.)
This means that for your own organization, the first thing to focus on is controlling and monitoring access to your data. Look at the information you have and make certain you are prioritizing that only properly-authorized individuals and user accounts can access it. Also, make sure that you’re taking appropriate secondary precautions (proper password policies, etc.) Make certain as well that your staff is properly-trained in Data Disclosure Procedures. Being responsible for a breach, because an email was copied instead of BCC’d, is not only embarrassing; it is also easily preventable.
It’s worth mentioning that PIPEDA (and the Alberta PIPA) acts are NOT limited to in their scope. They don’t simply apply to Government, Schools and Medical Clinics. Those sorts of institutions come up a lot when these regulations are mentioned, simply because the nature of the data they handle means PIPA always applies. PIPA/PIPEDA don’t target businesses; they target data. Any “Personally Identifiable Information” is subject to them, REGARDLESS of the business field you happen to be working in. So, depending on exactly what information you keep, this could apply to your customer data, payroll information, and other similar issues.
If you have any questions about PIPA/PIPEDA, please reach-out to your TRINUS Account Manager for some stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-man.