Data Breach Procedure

Data breaches can have far reaching effects. In this episode of Risky Business, Colin Rooke discusses what to do in the event of a data breach within your company.

Listen to the full episode here, or read the full transcript below

Paul Martin: Welcome to Risky Business Commercial Insurance with Butler Buyers. I’m Paul Martin, business commentator here on CKOM, and you’ve heard me talking almost endlessly, I think probably about the Butler Buyer’s risk assessment system and today we continue our conversation with as always, Colin Rooke the Commercial Risk Reduction Specialist with Butler Buyers Commercial Insurance. He’s the guy who helps us understand that world of insurance sometimes can be a little bit difficult to get a grasp on and he’s a guy who can actually kind of turn it into English and help you understand it. As a business owner, what do you need to do and what’s the best ways to protect yourself to go about doing that? So, Colin, great to see you again. Welcome back.

Colin Rooke: Thanks for having me.

Paul Martin: Since we talked last, it seems like there’s an endless parade of natural disasters or major natural events. We’ve had hurricanes, we’ve had fires, whether they’re in BC, California, Alberta, Saskatchewan. We’ve had, it just windstorms.

Colin Rooke: You name it.

Paul Martin: It just seems like Mother Nature is really acting up. Yet, last time we were here, we were talking about cybersecurity and the big Equifax breach and there’s actually we’re going to stick with that topic even though Mother Nature’s been at play, where it’s all going to stick with a cyber security issue only because there’s been some significant new developments that probably most business owners don’t know about, but they should. So let’s take this opportunity, this window to provide a little bit of an educational opportunity for business owners. If you own a business, you need to listen to this because this will get you right in your kitchen. So maybe, Colin I’m going to turn it over to you. What has transpired since that Equifax event and since our last conversation?

Colin Rooke: Yeah. So I know we promised that we would talk about natural disasters. I think we joked about the effects the costs of reinsurance and what that’s going to mean to premiums. But so September 1, the Canadian government published proposed regulations referring to the mandatory reporting of privacy breaches in Canada. So this is all related to the Personal Information Protection and Electronic Documents Act and-

Paul Martin: Say that three times real fast.

Colin Rooke: Yeah, exactly. Yeah, I had to write it down or I’d say it backwards. So essentially what’s happened is they’ve come out with proposed rules on how businesses are going to be required to react to any data breach. Now, as of right now, it’s a proposed rule but they are in the process of turning these rules in regulation. So they’ve added this to the act. They’re working on again, an official regulation and it’s going to be a big change in the way companies respond to data breaches in Canada. And it’s very similar to what’s already occurring in the United States, which you and I have talked about at length that Canada is sometimes a few years behind, but it is coming. And so this is the beginning of just that.

Paul Martin: Now, the last time we talked, it wasn’t necessarily you who caused the breach or your server that was breached. It was actually a-

Colin Rooke: A third party, yeah.

Paul Martin: It was you as a business owner in Saskatoon, or Saskatchewan could have been impacted because you may have had a dealing with a bank and the bank can turn had dealing with Equifax. And Equifax was the one that was actually hit, is that, are these regulations sort of, are they casting that wide a net?

Colin Rooke: Yeah, exactly. So if you take what we talked about last time and then you apply that literally today and once these are true regulations. So essentially the Digital Privacy Act is changing and if and when businesses or organizations have a data breach, they are going to be required to report those to the Privacy Commissioner of Canada and they’re going to be required to report the breach to all concerned parties; customers, any vendors they deal with, any business person entity that they have any stored information on. So if you can imagine anyone you are dealing with, have dealt with, might deal with, if they’re connected to your business at all in any way, you would be required to report not only to the commissioner but to the end user.

When businesses or organizations have a data breach, they are going to be required to report those to the Privacy Commissioner of Canada and they’re going to be required to report the breach to all concerned parties; customers, any vendors they deal with, any business person entity that they have any stored information on.

Paul Martin: So this net is very wide.

Colin Rooke: Yeah. That the rules are, they say if there’s real risk of significant harm, that’s going to be the barometer for, should I report this? So when you say yourself, “Real risk of significant harm,” is that a data breach? I don’t know. There’re data breaches every single day and I don’t know. If you ask most business owners how often do they think there is real risk of significant harm. But when you look into the definition, it’s very broad of this significant harm. So bodily harm, humiliation, damage to reputation or relationships, which we’ve talked about a ton, loss of employment business or professional opportunities, financial loss, identity theft, negative effect on credit. So Equifax, there you go, and damage to or loss of property.

And really they’re judging this on the sensitivity of the information that was lost and the probability that that information will be misused. Essentially, if you take anyone’s personal information if that information was stolen in a data breach, it was for a reason. They stole the info to use it. Therefore, the argument of significant harm would hold true and business owners, organizations would then be required to notify.

Paul Martin: I’m assuming that this is not a very inexpensive operation either. If you’ve got hundreds of clients and you have to do all this notification that could run into some money as well.

Colin Rooke: Exactly. There’s the financial side, there’s the time away from what you’re doing best. There’s the reputation risk. So when you look at, okay, so what am I required to do? Well, you have to, of course, inform the Privacy Commissioner. You have to, in writing, describe what happened, the day, the period in which it occurred, a description of all personal information that was lost, an estimate of the number of individuals who could be at risk of significant harm, a description of every step the organization has taken to reduce the effect of that harm, a plan that they intend to implement to notify absolutely every person affected.

And then contact information for the commissioner on who they can work with inside the organization to help sort out this mess. So if you could imagine the time that it would take just to notify the commissioner and you have to do it essentially immediately, that is going to take a significant time out of your day. Again, that’s just the beginning. We haven’t even got to notifying our clients, which is the really big number. The really big issue.

Paul Martin: It’s getting hard to do business, isn’t it?

Colin Rooke: Costly.

Paul Martin: There’s a lot of onus on the business owner here with these new rules. By the way, if you’ve just joined us, you’re listening to Colin Rooke, who’s the commercial risk reduction specialist with Butler Buyers Commercial Insurance and we’re talking about new regulations about to come into effect that are basically a byproduct or result of that big cyber security breach that happened in the US with Equifax. I think it was about 140,000 Canadian files involved in that. Now, the Canadian government’s reacting by putting in regulations that are essentially putting the onus on business owners to then notify those customers of a potential breach or anything that might’ve happened. Did I summarize that all right?

Colin Rooke: Exactly. Really it’s a response saying, “Okay, what onus is on the business owners and what steps must be taken to protect the privacy of those that do business with these companies?”

Paul Martin: Well, the way you just laid those out, obviously there’s a lot of onus on the business owner to take ownership, but there are many things that you have to … Steps you have to go through and you have to be able to prove I went through all the steps in order to satisfy the Privacy Commissioner that you did a due diligence and reasonable in your approach.

Alright, this is scary. It sounds scary at least, and we got to take a little break, Colin. When we come back, I want you to walk us through what a business owner in Saskatchewan can do to protect themselves a little bit and what you can do at Butler Buyers to help them step through that. So we’re going to take a little break. Back after this with Risky Business.

Paul Martin: Welcome back to Risky Business Commercial Insurance with Butler Byers. This is Paul Martin, your business commentator here on CKOM, and I’m talking, as always with, Colin Rooke, the Commercial Risk Reduction Specialist at Butler Byers Commercial Insurance. And before the break we were just delineating the new regulations that the federal government is going to be bringing in as a response, I guess, to the major cybersecurity breach that happened south of the line, but it had a lot of Canadian files involved too. And so these regulations are aimed at business owners and what you might need to do if your business is targeted and you are the victim of a cybersecurity breach, what steps you have to take to notify your customers whose information may have been compromised, what you have to do to speak to the privacy commissioner national as well.

So Colin, you have delineated a lot of stuff that is … This is a very wide net these regulations are casting. So it’s not difficult to assume that your business or my business might be captured in this. So if I’m a business owner and I’m listening to this and I’m sounding like or I’m hearing you talk about this, I’m saying whoa, what do I do about it? How do I protect myself? Is there something you can do to help us out? How are you answering that question when people are putting it to you?

Colin Rooke: Really good point. So why are we talking about this today? Because if we want to reduce the effects of a data breach, if we want to reduce the impact it would have on any organization, there’s got to be proper planning in place. So on the client’s side of a data breach, you are going to be required to notify the clients you work with, not only on the fact that there was a breach, but in a way that your clients can understand what happened and why, which that would take a significant amount of time for any organization. But you also have to share what steps the organization took to prevent this, what steps they’re going to take to prevent this occurring in the future, toll free numbers to help walk the affected individuals through the claim.

If we want to reduce the effects of a data breach, if we want to reduce the impact it would have on any organization, there’s got to be proper planning in place.

And again, you also have to set up basically a complaint procedure to the privacy commissioner if the business isn’t, in the client’s eyes, doing their part to make this process smooth. So where do we come in, what’s the point? Proper planning. When we have a client go through our workshop process, we do talk about cyber crime, I think, after this many shows it’s no mistake cyber crime’s going to come up, but we encourage every business that we work with to have a cyber disaster recovery plan. Some sort of tool, some sort of preparation in the

event a breach occurs for exactly these reasons. The business owners need to know how many files do I have, what would I do, and how if I were forced to notify what would be the cost to our company if we were required to do so. Would we need a PR firm to help navigate the reputation risk, if so, who would that PR firm be? We get very, very detailed.

But if you can imagine, if you’ve had a breach, in addition to the fact that you have to figure out how to get my data back, how to get up and running, you also have this colossal mess of duty to notify. And if that isn’t planned out, something as simple as a data breach could seem like the equivalent of a total loss fire where you’re unable to operate. You are going to spend most of your time trying to navigate this until it’s complete. And so, if we put together a plan

in place that we’re all comfortable with, in the event something like this should occur, at least we have something to work on. And lastly, you are required to submit all of this to the privacy commissioner. There are fines for companies that have done very little or didn’t do their due diligence, or are too tardy in their responses. So if you could imagine the reputation risk on top of the fact that you had data breach, on top of the fact it’s taken a very long time to get up and running, a long time to explain, now you have additional reputation risk because the privacy commissioner is after you because of the way you’ve handled it.

So we talk about cyber crime and cyber risk all the time and the reason we do that is it’s not going anywhere. And now, as evidenced today, the rules and regulations, they’re toughening up.

Paul Martin: I think your point is this isn’t going away. It’s only going to get worse in the future.

Colin Rooke: And more costly.

Paul Martin: And is it incorrect to assume that all of the cyber hacker thief type people only target the big companies?

Colin Rooke: No, they target data. They don’t care where it is. But they are after the least path of resistance, the low hanging fruit. So if you can imagine, if they hack one company with 100,000 files, great. But they could also hack 100 companies with a 1000 files. It’s all the same to those companies.

Now from a business owner perspective, in Canada it costs roughly $400 to satisfy all these requirements per file. And as we discussed in the Equifax breach, it doesn’t mean you have this folder of 15 clients that you do business with and that would be the extent of the damage, it’s any file that’s crossed your desk. Any person that’s applied for credit. Any email address you might have. Any stored data past, present, future, these are the individuals that could be affected and would be subject to this duty to notify.

Paul Martin: So they wouldn’t necessarily have been compromised, they’re just in your system, so you have to notify them-

Colin Rooke: So they might be.

Paul Martin: … as basically just as a matter of course.

Colin Rooke: Exactly. So proper planning. A cyber crime disaster recovery plan. Working on

risk, having a risk plan in place for your company so when situations like this arise we’ve already tackled that. And that’s the work that we do at Butler Byers Insurance.

Paul Martin: Well that’s what you’ve always talked about is the step-by-step risk assessment plan. And here we are two minutes left in the program and we finally got to your step-by-step risk reduction plan.

Colin Rooke: Step-by-step plan.

Paul Martin: But that has been your mantra since we’ve started this program is that there is just simply no substitute for planning in advance. And these regulations just underscore that.

It’s been your mantra since we’ve started this program is that there is just simply no substitute for planning in advance

Colin Rooke: And in the insurance industry, we’ll hear from clients, no one likes insurance until you need it. And it’s good to have when you need it but otherwise it isn’t. What if I don’t have a claim? Well it’s the same logic here that you might never have a data breach. You might be the lucky one that never does. But when you do, you’re going to wish you did some proactive work. You’re going to wish you had a plan because I can tell you firsthand, it’s a disaster to go through when the organization hasn’t done much.

Paul Martin: Well you get to do all of this stuff at a time when you’re very stressed anyway because you’ve had a breach so you’re dealing with it. And now you’ve got all of this other stuff on top of you and-

Colin Rooke: And it’s public.

Paul Martin: … and we were talking earlier, they only target the big companies because there’s the big pool of data, but I think your counter argument to that was they can go small because in all likelihood, small company has lower security levels so they’re easier to breach.

Colin Rooke: Exactly.

Paul Martin: Well, Colin, this has been a very interesting conversation. I didn’t think we’d be back on cyber security after-

Colin Rooke: Neither did I.

Paul Martin: … an earlier program, but this is one of those things that’s evolving and as a business owner, it’s hard to keep on top of all of these things. So thank you for coming in and talking to us about this and providing this bit of information and alerting all business owners that these regulations are coming and all of us will have a new duty of responsibility to meet those brought to you by the federal government and the privacy commissioner. As always, you’re listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers Commercial Insurance. This is another addition of Risky Business. I’m Paul Martin. Thanks for

joining us.