It is no longer uncommon to see the names of large companies in the media dealing with privacy incidents. With the increase in electronic sharing of personal information on different computer platforms, cybersecurity threats will become more frequent. Their consequences will be more serious. Privacy incidents are no longer isolated events. It is important to be ready to deal with them and limit their risks and impact.
Privacy incidents
These incidents occur when there is a breach of privacy. Whether through unauthorized access, use or disclosure. This also includes the loss of confidential data that can identify a natural person. The intrusion of hackers into a database containing personal information is one of the most serious incidents. This is called a data leak. The purpose of this operation is to use this information or sell it on the Dark Web to usurp the identity of these people.
The Calm Before the Storm: Be prepare
Although cyberattacks are often associated with large enterprises, small and medium-sized businesses must also be on the lookout for these threats. In fact, these companies are targeted by 43% of cyberattacks. Thus, it is important that every organization holding sensitive information is well prepared. Some initiatives can already be taken internally as a preventive measure.
1. Raising awareness among stakeholders
It is important to educate your employees as well as your customers on the subject of cybersecurity. They must be informed about the precautions to be taken to avoid such incidents. They must be equipped to protect their data against unauthorized access or theft.
Privacy incidents put the privacy of your customers, employees and/or business partners at risk. This indirectly harms your business. Indeed, these incidents have a financial impact on your organization and they risk to impact your sustainability.
One of the most worrying cybersecurity threats today is Ransomware. With this strategy, hackers gain access to company computer files and they can block access to data until a ransom is paid. The annual share of ransomware attacks experienced by organizations worldwide has been on the rise since 2018, peaking at 68.5% in 2021 (Statista). This threat is largely the result of phishing attacks.
2. Implement good cybersecurity management practices
Some recognized cybersecurity management practices include, but are not limited to:
- Install anti-virus and anti-malware software
- Enable data encryption
- Carry out security audits
- Comply with current legislation
- Take out data leak insurance
- Establish a cybersecurity policy (password management, access management, etc.)
3. Surround yourself with trusted business partners
It is important to have sufficient cybersecurity resources and to have trusted business partners. Especially for data hosting. At Dialog Insight, the security of your data is a priority. As a result, we implement the best practices in the industry. Moreover, we comply with the requirements of legislation in Quebec (Law 25), Canada and Europe (GDPR). In addition, we hold ISO 27001 and SOC2 certifications.
Victim of a cyberattack: What to do?
In the event that the worst happens and your business is the victim of a cyberattack, certain actions are required by the various levels of government.
In Quebec, Law 25 (Bill 64) aims to improve the protection of personal information by public bodies and private companies. It sets out the various obligations that must be respected in the management of confidential data. Its main objective is to better control confidentiality incidents and limit their impact.
Law 25 requires that a person who operates a business must take reasonable measures to reduce the risk of harm being caused and to prevent new incidents of the same nature from occurring. When there is reason to believe that there has been a confidentiality incident involving personal information that it holds.
Here are the steps to follow in the event of a theft of personal information:
- Preliminary assessment of the situation: Define the context, designate a person responsible for managing the situation, inform the internal stakeholders concerned
- Limit the invasion of privacy: Recover data, modify access codes, control gaps
- Assess the risks: consider the sensitivity of the personal information in question, determine the potential harm, determine the actions to be taken as a priority
- Notifying data subjects: determining who needs to be notified and how
- In-depth assessment of the situation and prevention: analyze the circumstances of the event, make recommendations on the internal directives to be put in place
- Follow-up
New obligations related to Law 25
When a privacy incident poses a risk of serious harm being caused, Law 25 requires companies to take the following actions, starting September 22, 2022:
- Notify the Commission d’accès à l’information
- Notify any person whose personal information is affected by the incident
- Notify any person or organization likely to reduce this risk
- Consult with Privacy Officer to assess risk of harm
- Maintain a register of confidentiality incidents, to be communicated to the Commission on request
For more information on Law 25 and the various obligations arising from it, see our latest article Preparing for the implementation of Law 25
This article does not represent legal advice. You should consult your legal advisors for an opinion with respect to Law 25 or its implication.
