Victim of a cyberattack: What to do?
In the event that the worst happens and your business is the victim of a cyberattack, certain actions are required by the various levels of government.
In Quebec, Law 25 (Bill 64) aims to improve the protection of personal information by public bodies and private companies. It sets out the various obligations that must be respected in the management of confidential data. Its main objective is to better control confidentiality incidents and limit their impact.
Law 25 requires that a person who operates a business must take reasonable measures to reduce the risk of harm being caused and to prevent new incidents of the same nature from occurring. When there is reason to believe that there has been a confidentiality incident involving personal information that it holds.
Here are the steps to follow in the event of a theft of personal information:
- Preliminary assessment of the situation: Define the context, designate a person responsible for managing the situation, inform the internal stakeholders concerned
- Limit the invasion of privacy: Recover data, modify access codes, control gaps
- Assess the risks: consider the sensitivity of the personal information in question, determine the potential harm, determine the actions to be taken as a priority
- Notifying data subjects: determining who needs to be notified and how
- In-depth assessment of the situation and prevention: analyze the circumstances of the event, make recommendations on the internal directives to be put in place
- Follow-up