New data privacy rules, new giant fines for ignoring them

Kristi ShmyrCybersecurity

Data security

Data privacy and securityPIPEDA. It sounds like the name of a Broadway play about a plucky young Swiss girl with a stutter, but in true government fashion, it’s a little less whimsical. PIPEDA is the Personal Information Protection and Electronic Documents Act, legislation that the Canadian government introduced in 2000 that governs how businesses (including yours) deal with our personal information and our data privacy.

So why should you care about a piece of boring legislation from the early aughts?

Because yesterday, changes were made to the legislation that you really need to know about. Down-payment-on-a-house level of need to know. Beers-at-Roger’s-Place level of need to know. Bankrupt-your-business level of need to know.

The new data privacy laws

The major change is this: businesses are required to notify the Office of the Privacy Commission of Canada (and all of the customers affected) “as soon as feasible” if there is a security breach that includes a “real risk of significant harm to an individual”. I know – the language is vague. Essentially what that means is: if your customer data is exposed, you need to report it as soon as possible.

Perhaps more importantly, you are now required by law to take “appropriate” precautions to protect your data from being breached in the first place. You must also keep information about what cybersecurity safeguards you have put in place in the two years following any breaches. The fines are onerous, so this isn’t something to pay passing attention to – does $100,000 penalty per violation get your attention? $100,000 got our attention.

Now that we have established that you should definitely care, how do you protect yourself? You must be aware of the security of your email, your databases, your wireless internet, your backups – everything. One in five Canadian companies was hit by such a security breach last year, so this is a very real concern. Yet not a lot of businesses know about the onus that is now on them to take action. That’s why it is so critical that you spread the word. Maybe even spread this blog post. *Wink wink*

Why you shouldn’t be mad

Of course, this isn’t all bad news, because we aren’t just business people – we are also consumers. We are still reeling from the big Equifax hack, as well as many other breaches in cybersecurity. The public needs all the help we can get to protect our online information.  As a responsible business person who doesn’t have $100,000+ lying around, protecting the private information of the people who keep you in business should be important. Data privacy isn’t just important for our customers, but for our credibility with those customers.

Next week, we’ll give you some suggestions for keeping your customer data safe. Until then, we encourage you to call us to make sure your business – and your customers – are protected.