ThinkTWENTY20

by Donald E Sheehy, CPA, CA, CISA, CRISC, CITP/C

Effective November 1, 2018 businesses in Canada became subject to new mandatory breach reporting regulations under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Previously, data breach reporting was done on a voluntarily basis only.

The Office of the Privacy Commissioner of Canada reported on October 31, 2019 that data impacting over 28 million Canadians (about 75% of the population) had been compromised during that first year of reporting. Some compromises from well-known corporate names (Capital One, Desjardins), however, significant volumes also came from small- and medium-sized businesses.  ( see https://www150.statcan.gc.ca/n1/daily-quotidien/190930/dq190930a-eng.htm)

No size or type of organization is immune. 

That fact became very apparent with CPA Canada’s statement last week that, due to a compromise of its web site, an unauthorized third party had managed to access personal information on over 320,000 members and others over a 5-month period,  at which point the compromise was discovered and the relevant systems secured.  In an email to members, CPA Canada states “CPA Canada has employed enhanced monitoring and prevention measures since this incident was discovered and is implementing additional measures to further enhance its cyber security program to help reduce the risk of such incidents in the future”

It is more important than ever, especially with the transition from office to working at home employees caused by COVID-19, that organizations adopt a comprehensive cyber security program and a comprehensive privacy program to protect their data and critical systems from unauthorized cyber attacks. For even more confidence, organizations should consider having the programs assessed by a qualified expert using current criteria and control expectations.  This does not provide a guarantee – but will certainly help identify issues before they become breaches.