New Privacy Legislation, Cyber Vulnerabilities and Preparation

Every company is at risk for a privacy breach, every company needs to worry about cyber vulnerabilities. In this episode, we delve into cyber vulnerabilities and security, which is privacy for companies of all sizes.

cyber vulnerabilities

Listen to the full episode here, or read the full transcript below.


Paul Martin: Welcome to Risky Business Commercial Insurance with Butler Byers. I’m Paul Martin the business commentator here on CKOM and you’ve heard me talking with Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers Commercial Insurance.

Paul Martin: And we’re picking up the topic that we started —  well we’ve actually touched this one probably half a dozen times over the last year, year and a half — and it’s the topic of cyber security. And before you roll your eyes and say, “Jay, I’ve heard everything there is to hear about that,” there’s actually some new rules that are coming into effect this year. The legislation that was passed a couple of years ago, they spent a couple of years then writing regulations. Those regulations are coming into effect this year. And it’s something the average business owner probably hasn’t talked about but does need to understand. And it will filter down and there’s no getting around it if you have in your business anything just as simple as a smartphone, you’re probably vulnerable. So Colin, let’s talk about that.

Paul Martin: It’s almost impossible really to think about a business that wouldn’t be affected by this privacy legislation.

“It’s almost impossible really to think about a business that wouldn’t be affected by this privacy legislation”

Colin Rooke: We’ve got various assessments we use with our clients that allow us to gauge cyber preparedness and vulnerabilities. And I know anyone in the IT field would have something similar. And I’m positive they would all agree with me that I have yet to find any organization that would have zero risk of a cyber attack, cyber liability, cyber crime. It’s just not there. I mean if your business is not only electronic in any way but quite frankly, if you’re storing paper. I mean when we talk about privacy breach, it doesn’t mean that I’m storing it in the cloud and that my system was hacked and then I lost everything. When we talk about digital, it’s anything that can be distributed digitally. If you can steal a stack of papers from the eighties and circulate that through the Internet, that’s a breach of privacy. We’d be looking for a business quite frankly that has no records of anything. And so, I guess that would maybe send a-

Paul Martin: They’re out of business.

Colin Rooke: Yeah.

Paul Martin: Virtually every business, no really every business would be subject to this. And we’re using the term cyber security but really probably it’s more accurate to talk about privacy.

Colin Rooke: Exactly.

Paul Martin: It’s privacy legislation that’s affected, that’s really the driver here. And the cyber breaches occur because when they get your information, you’ve broken the privacy act. So let’s talk about that privacy act. In the last show, we talked about for example, one of my employees goes out to the bar, leaves their smartphone on the table. If somebody has access to it, that constitutes a breach-

Colin Rooke: Exactly.

Paul Martin: … for the company if they have things such as a corporate email in there. Or if one of my clients was exchanging emails with him, I can identify the client through their email address, bing bang, I’m in a breach as the owner of the business.

Colin Rooke: Yeah and I mean even in your personal phone, if your work email is stored in that phone or even work contacts with work emails stored in that. I mean we’ve talked about social engineering where basically the hackers pretend to be you by learning your patterns and then they get so proficient at it that no one questions that it’s not you. So you think about, again, does your personal phone have stored contacts in it? Well, I guarantee one of those stored contacts will somehow link back to not only where you may work, but other clients where they may work, and it just goes on and on and on.

Paul Martin: And I think in a previous show, we talked also that it isn’t … your company can be captured in this even though the breach didn’t occur at your place. It can be a supplier of yours that gets the breach and then it cascades downhill because your name and address and your client information is in the hands of a supplier. And they had the breach so now I’m complicit in all of this.

Colin Rooke: Exactly. And you know if you and I each had our own business and I was hacked, I had breach and I sent a virus or a breach your way, not only are my clients at risk, your clients are at risk. So your clients are going to go after you, not me because to them, it came from you. So your cyber security wasn’t where it should be, therefore, something from my business was able to pass to yours and you were able to pass it on. And it can go on and on and on and on and on.

Paul Martin: That sounds hypothetical but just not that long ago was that breach of the Equifax I think it was.

Colin Rooke: Yeah.

Paul Martin: And you know your name, you apply for a bank loan, for a car loan or something, they forward that through to Equifax. So if the breach is there, now it hit the bank and now it hits me because I made an application. Well, I didn’t even know I was dealing with Equifax, or that I had a cyber vulnerability.

Colin Rooke: 143 million files in North America breached. And again, no one knew the name Equifax prior to the breach. In fact, even after … but then when you start reading, “Oh they deal with every lending facility essentially in the world.” So if you’ve ever given your information to any bank anywhere, any credit card company, you’ve dealt with Equifax.

Paul Martin: So when they were breached, effectively your privacy was offended at that point. And you’re involved in it. If you had made a … something as simple as filling out an application form for a credit card.

Colin Rooke: And to the end consumer, again, you’re not crying foul to Equifax, you don’t know who Equifax is. I mean you would later learn but you’re saying, “I deal with such and such bank or lending facility. And my information was compromised.” And of course the bank’s saying, “Well, we didn’t lose it. Equifax did,” doesn’t matter. That bank is going to be named as well.

Paul Martin: I think the upshot of this is, as I’m sitting here listening to you, is this a whole lot more complicated than I think the average small business owner thinks.

Colin Rooke: Absolutely.

New Regulations, Cyber Vulnerabilities and How to Educate Yourself

Paul Martin: And this ain’t going away and it’s just going to get more and more onerous. And the time — because new regulations are coming in — the time is now for a business owner to start educating themselves about this.

Colin Rooke: Really good point. As business owners, you don’t have time to be experts in all things risk. That’s where we come in. I mean that’s where we put our focus. So we introduce this topic, I believe it was in September of 2017 where the major changes were announced and we said, “Here’s what’s coming.” Since then, we’ve been able to put together a tool that not only explains the changes, it makes it easy to understand, “So here’s what I have to do but then here’s how I do it.” So it’s one thing if I just tell you that you’re going to have a written report to the Privacy Commissioner. I mean moving forward. Okay, well your next question is, “Well what goes in that report?” Great question. You know, we have a whole document that explains every single section of that report what to put in there. And again, we’ve done that so we can educate our clients. And then, they are able to best prepare and should an event occur, they know what’s required of them.

Colin Rooke: So not only have we outlined all the changes, all the requirements, what the means, all the definitions, what it’s going to cost them, the rise, all the who, what, when, where and why. We also prepared a document, we call it Six Ways to Prepare for PIPEDA. It’s a good barometer or a guideline for any business to say “Okay. Here are six steps that we really need to consider as an organization to ensure that we don’t have to go through this quite frankly, address our cyber vulnerabilities.”

Paul Martin: Alright. I’m going to get you to walk me through those six steps but we’re going to take a little break first. We’re going to come back in about two minutes. You’re listening to Colin Rooke, the Commercial Risk Reduction Specialist, and today our cyber vulnerabilities, cyber breach, privacy breach expert. He’s with Butler Byers Commercial Insurance. And we’re going to talk more about this after the break. Back in a moment.

Paul Martin: Welcome back to Risky Business Commercial Insurance with Butler Byers. I’m Paul Martin talking, as always, with Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers Commercial Insurance. Just before the break Colin, we were talking about this new package you put together. It’s a handy-dandy guide, a step-by-step thing for your clients and I suppose any prospective clients that … Here’s six steps you can walk through to prepare yourself for these new changes or these new rules that are coming around privacy legislation and really the whole realm of privacy.

Colin Rooke: And just to backpedal a little bit, to make this a little more real, why do we do this? Well a study came out saying that the number one legal risk in Canada is cyber compliance.

“A study came out saying that the number one legal risk in Canada is cyber compliance.”

Paul Martin: That’s for this year?

Colin Rooke: That’s for this year, 2018. So that told us we have to do something. So we’ve prepared this document. So for anyone listening, again, it’s something you can take to your organization. You can work through it and ideally prepare yourself for A) the understanding, but also against any cyber threat or cyber vulnerabilities.

Colin Rooke: So the first, I’d say, one of the more important points is make sure you are aware of all the new requirements. That’s where the document that I just referenced comes in. We’ve prepared something that makes it easy to understand what’s changed? What was there in place? What do I have to do? And how do I do it? So again, ensure that you are informed on all the new requirements.

Colin Rooke: The second topic is prepare internally for data breach scenarios. Paul, you mentioned this but the number one cause of a breach is a lost laptop or cell phone. And so having those conversations, discussing, “What are we going to do?” Other things like emailing any document, any client document to the wrong address, that constitutes a data breach. And it makes sense. What if those are sensitive documents and now you have inadvertently mailed those to a competitor?

“The number one cause of a breach is a lost laptop or cell phone.”

Colin Rooke: Disposing of any personal information in a public area. A network that’s compromised due to hacking or security failure. Physical documents — we talked about this — physical documents that are lost. It could be a file from the eighties and you lose it. A backup data is lost. And this is a big one, customer or employee information is lost by a third party vendor. So you trust everything to the cloud. Well what happens when the cloud gets hacked? And then employee negligence or even sometimes fraud. So sometimes employees will steal sensitive information because they know they can sell it.

Colin Rooke: So the third topic is train your employees. We really harp on this. When it comes to data breaches, 28% of the time it’s caused by human error. And these aren’t employees that are not paying attention. They’re not employees that are trying to deliberately harm the organization they work for. They just don’t know what they’re seeing but they also haven’t been told what to do, what’s the procedure if they think something is suspicious. Because when asked after the fact, questionable email or something wonky, most will say, “You know in hindsight, I wasn’t sure about that one.” But most don’t know what they’re supposed to do if they see something. And you know, most employees are there to help, genuinely there to help and they don’t want to bother others. And so, it’s as simple as forwarding something on that shouldn’t have been forwarded.

Colin Rooke: Another one is ensure your internal processes are up-to-date. So again, it’s one thing to have protocols. But if you’re never discussing them or if it’s stuck at the management level or you had manager retreat, you talked about processes and then shelved it. If you’re not reviewing, how can your organization be constantly preparing for cyber vulnerabilitiesif you’re not having those discussions.

Colin Rooke: So then the fifth topic is assess your data storage practices and response strategies. So really think about the information that you store. Do you need to be storing all of it? Is it all relevant to your business or are you just storing it for storage sake? And what would you do if you lost that? Really thinking that through. And we talk about disaster recovery Paul, we’ve had that talk a lot. But we do talk about cyber security response planning, which is really just a mini disaster recovery plan for when you have a breach. And once you’ve, again, gone through your practices and policies, it’s very important that you have a plan in place.

Colin Rooke: And then lastly, and this will become legislation. I mean I’m going on the record to say it but it will become legislation at some point, it’s really important to obtain proper cyber insurance. The pricing has really come down in the last three or four years to the point where it’s very affordable. And you’ll see some coverage. I’ll call it packaged in on a lot of policies. I would caution anyone that purchases that coverage against it. Quite frankly the limits are quite low and it’s done that way deliberately to provide some protection to … You know if you’re looking at a large insurer, they’re saying, “Well, we want to give our clients something,” but that may or may not be what’s required by the organization. So really dig deep into, “Are these limits adequate? What’s the potential cost to my company?” before saying, “Well, there was some coverage thrown in, built into a package.”

Paul Martin: This topic’s getting increasing attention and I’m not sure the average business owner really fully appreciates what they’re up against here. But this is the business commentator coming out now. I view these professional hackers if I can call it that wherever they’re located around the world, that are effectively coming after our economy. I lump them in the same category as terrorists. They’re out there trying to undermine our economy, the Western way of doing industrial business. And I’m not sure that business people here in Saskatchewan understand they’re kind of the front line soldier in a battle. This is a war. And it is a war designed to undermine Western society, at least the economic component of Western society. And you know, it just reemphasize, Colin, that I think business people here need to understand the magnitude of the challenge that they’re facing and that we are caught in a situation that it’s not on the other side of the world now, it’s right here.

Colin Rooke: You make a good point with the war reference. I mean you’ve got Russia that is openly admitting to funding universities, funding cyber crime and looking into cyber vulnerabilities. And so, when it comes to any thoughts of why me or do I have anything they would want, you may not. But they’re trained to just blanket — quite frankly North America — get what they can, extract what they can. And when it comes to notification and a potential breach, it really doesn’t matter if they use what they stole. It’s the fact that they have it. And I guess, in the hackers’ wake, we have the business owner left to clean up the mess.

Paul Martin: Well you know we’ve sort of scared them here with this terminology we’re using. And I guess we should probably close this show with a little bit of a positive note or some sort of offer of help. You can provide some support to business people who are looking at this and saying, “Well maybe I can’t ignore this any more. This is a big one although I don’t really understand it.” Colin can help them.

Colin Rooke: Absolutely. And that’s why, again, we created the document that explains the changes to PIPEDA. What are my responsibilities? And then we also developed this six step readiness sheet that any business can go through and understand and prepare their organization. So give us a call and we’ll make sure we get you those.

Paul Martin: Colin. Thank you. As always, very insightful, very informative.

Colin Rooke: Thanks Paul.

Paul Martin: You’ve been listening to Colin Rooke, the Commercial Risk Reduction Specialist with Butler Byers Commercial Insurance. I’m Paul Martin. You’re listening to Risky Business, Commercial Insurance with Butler Byers.