Preparing for Canadian Breach Notification Requirements
Is your organization located in Canada or do you do business with Canadian citizens? If so, you need to be aware of new privacy regulations that are going into effect in November of this year.
Last April, the Canadian government published its Breach of Security Safeguards Regulations. The requirement is part of an amendment to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and is enforceable starting on 1 November this year. The requirement is applicable to any organization that maintains personal data on Canadian citizens and residents.
The regulation requires notification “as soon as feasible” to the Office of the Privacy Commissioner and affected individuals of data breaches that may pose a “real risk of significant harm”. Significant harm is defined broadly and includes humiliation, damage to reputation or relationships, identify theft, bodily harm, loss of employment, business, or professional opportunities, financial loss, and damage to or loss of property. Notification to the Commissioner must include:
● Description of the breach and root cause
● When the breach occurred
● Impacted personal information
● Number of individuals impacted
● Steps taken to reduce or mitigate the harm to impacted individuals within the context of the breach
The regulation further requires organizations to maintain a log of all breaches, regardless of impact, for inspection by the Commissioner’s office as requested.
Many organizations across Canada, as well as foreign companies that do business in Canada, are responding to the change in regulation. Canada’s PIPEDA has always required protections for Canadian personal information, however, the new regulation increases the risk to an organization’s reputation and may expose it to further regulatory scrutiny and ultimately, increase the impact to the bottom line.
Cisco is in a unique position to help our customers in Canada prepare for and continue to respond tothe new regulation. Our own Security and Trust Organization prepared for this and similar regulation around the globe. More importantly, we help our customers implement and manage data protection and security as well as respond to security threats and breaches through a powerful combination of our security architecture portfolio and experts within our Security Services organization.
In order to prepare for and respond to the breach notification requirements, we recommend our customers take the following four steps:
1. Be prepared to respond with expertise
2. Increase visibility within your network
3. Limit the impact of a potential breach
4. Enhance Endpoint Protections
Be Prepared to Respond with Expertise
When an incident occurs, being able to investigate, contain, eradicate, and recover in a timely manner to limit damage or data loss requires a specialized skill set. The information that’s required to be reported to the Commissioner under the new regulation makes it even more important to have the required expertise, tools, and intelligence. Further, mature processes that are continually improved, are proving key to adequate breach response. The time to learn about your blind spots, process issues, and skill set deficiencies is not during an breach, but before. Being ready to respond is just as important, if not more important, than the actual response.
When there’s an incident, Cisco’s Incident Response Retainer enables you to take advantage of some of the best incident investigators in the industry. Backed by the largest volume of threat intelligence in the industry from Cisco Talos and some of the most powerful tools on the market, our retainers enable you to cost effectively bring the “A” team when you need it. Enhancing the effectiveness of your response and enabling you to root cause and remediation actions faster and with higher quality. More importantly, our Incident Response Retainer includes a suite of proactive incident response services, facilitating enhanced ability to respond when needed most.
Increasing visibility is important in order to respond to any breach notification requirement. Establishing visibility across your network, systems, endpoints, and applications is the first step in being able to identify and respond to breaches faster. Strong visibility controls demonstrate to regulators that you are performing due diligence in security monitoring and decrease the time it takes to detect a breach. Visibility is also critical to being able to investigate and contain a breach.
Cisco StealthWatch and Tetration provide unparalleled visibility in the campus, data center, and cloud, facilitating faster times to detect and respond. Further, Cisco Umbrella provides even more visibility and protection, turning DNS queries into security telemetry and blocking potentially malicious communication, including command and control traffic. Using Cisco’s visibility technology helps facilitate quicker response, preventing Canadian organizations from having to report long detection and response timelines that may increase Privacy Commissioner scrutiny.
Enhancing visibility does lead to larger volumes of security telemetry. Effective SOC processes, technology, and staff are required to make use of this telemetry in order to find real, high fidelity events faster, understand what is happening, and “tell the story” afterwards. Our Security Operations Services help organizations build or enhance their SOCs enabling Canadian companies to meet executive and Commissioner expectations for being able to “tell the story” after a data breach.
Limit Breach Impact
When disclosing breaches, the smaller the breach to report, the better. Through our many Incident Response engagements over the past several years, Cisco has seen time and again that the single largest contributing factor to limiting the scope of a security breach is segmentation. Segmentation enables organizations to limit the “blast radius” of a security event, lowering its overall impact. In ransomware attacks, this limits the overall damage to operations, and in the case of data exposure, it decreases or eliminates the impact that needs to be reported.
However, many organizations fail to implement effective segmentation due to the sheer complexity of the task as well as a lack of a coherent and effective strategy. Cisco’s Security Segmentation service uses a mix of consulting and visibility technology to define an effective strategy, architecture, and roadmap. This includes the specification of segments, the necessary trusts or communication paths between segments, and the controls required to enforce policy within each segment. This strategy provides an actionable roadmap to implementing segmentation and limiting the potential mpact of breach.
Cisco also helps by enabling the implementation segmentation using a mix of our visibility and policy enforcement technologies. This includes static enforcement using our Next Generation Firewall and access lists, and, more importantly, automated, fabric based enforcement technologies such as TrustSec and ACI that make Segmentation more practical in dynamic environments.
Enhance Endpoint Protection
Finally, as users continue to be one of the weakest links in our security posture, protecting the end points they use on a daily basis is an effective way to lower exposure to potential breaches.
Cisco Advanced Malware Protection (AMP) for Endpoints provides prevents threats at the point of entry and also continuously tracks every file it lets onto your endpoints. When malicious activity is detected, it can prevent the activity and quarantine and investigate files, sharing the information with other endpoints, potentially preventing a wide spread attack.
The Bottom Line
However Canadian organizations choose to respond to the new PIPEDA breach disclosure requirements, organizations must enhance their security game if they’re going to be in a defensible position after a breach. Being prepared and responding effectively to breaches is a start. Enhancing controls to increase visibility, limit the extent of breaches, and enhance endpoint protection further demonstrate due diligence and improve the ability to disclose breaches without significant regulatory fallout.
To learn more on how Cisco can help, contact your Cisco Account Executive or Partner.