February 28, 2019

What is the Canada Data Breach Notification Law?

Canada recently created a new data breach notification law, one that requires businesses to record all breach information and notify the appropriate authorities as well as those affected. This blog gives you all the details you need to know—even if you’re not a Canadian company or currently doing business in Canada. We also describe many ways that our innovative, powerful security solutions can help.

Everything You Need to Know About a New Canada Data Breach Notification Law—and How We Can Help Improve Compliance

Past ARIA Cybersecurity Solutions blog articles have provided a closer look at various data privacy regulations, and now there’s yet one more that you should be aware of. 

On November 1, 2018, a new Canada data breach notification law went into effect, requiring businesses to record all breaches and notify Canada’s Office of the Privacy Commissioner as well as those affected by breaches, of incidents that “pose a real risk of significant harm to individuals” (their words).

As we’ve noted in blogs before, this type of requirement follows similar laws in place, not only in other Canadian provinces, but also at the international level, by following the precedent set by GDPR

Yet it is important to note that, unlike some European regulations, Canada’s new data breach notification law does not shift data breach responsibility to outside vendors if a breach occurs. Instead, it pushes the obligation to the companies themselves to make sure they have adequate controls in place.

Related resource: How-to Guide: Successfully Complying with Data Privacy Regulations

What does this new Canada data breach notification law mean for you?

Even if you are not a Canadian company or do business in Canada, it is still worth thinking about its implications and your overall security strategies. Especially since these new requirements are likely to be part of a regulation that does affect you, and may influence better security practices.

For example, the new Canada data protection law requires the recording of all breaches, even if a minor breach doesn’t meet the “real risk of significant harm” threshold. Yet, as we’ve described before, it’s impossible to record a breach unless you know it’s happening, and the vast majority of breaches are not discovered until weeks or months (or longer!) after they happened. Traditional security approaches make it difficult, if not impossible, to comply with this requirement. 

Even still, this regulation calls for a minimum amount of recordkeeping that must include the date or estimated date of the breach, the nature of the breach, a general description of the incident’s circumstances, and whether or not it was reported (both to Canada’s privacy commissioner and affected individuals). Companies must keep these records for two years.

The Canada data breach notification law also requires that the record contain sufficient details about the breach. This information is needed to let the privacy commissioner assess whether the organization has correctly applied the “real risk of significant harm” standard, and in turn, met its obligation to report breaches.

This information could include a brief explanation of why the organization determined that there was no real risk of significant harm. This highlights the need for a security solution that can prove that the data was encrypted, record all evidence of the breach, and perform very focused forensic analysis.

Related: Everything You Need to Know Data Breach Notification Laws in California

A better way to achieve compliance with the Canada data breach notification law

At ARIA Cybersecurity Solutions, we understand the need for this information and have developed our solutions to give companies the tools and capabilities needed to improve compliance. 

Our ARIA Software-Defined Software (SDS) platform provides complete security of high-value data and other critical assets no matter where they are stored, used, or accessed. This approach of focusing on PII data is a departure from typical breach prevention and detection solutions. With our ARIA Packet Intelligence application, all data traffic is monitored as it moves through the network, including east-west traffic. This enhanced network security capability is important because of the fact that up to 80% of east-west traffic may be unmonitored as most security tools are set up to inspect north-south traffic.

Going further, the ARIA solution also provides automatic policy enforcement, ensuring not only that data is protected but that applications are accessed by only those authorized to do so; however, if unauthorized access is detected, it is immediately flagged for investigation. 

In addition, our Myricom nVoy Series pairs seamlessly with ARIA to provide the reporting needed to prove compliance with regulations like the Canada data breach notification law. With our 10Gb recorder, security teams can take advantage of packet-level recordings of all conversations between critical devices and data.

With full line-rate packet capture with zero packet loss and extremely accurate timestamping, this technology provides the data needed to have complete visibility into the possible effect on critical data, such as PII or PHI. It delivers automated breach verification and notification using intrusion alerts generated by a company’s existing security tools. With this information in hand, the nVoy Series enables security teams to complete tightly focused breach investigation in mere hours—not days, weeks, or months - a dramatic improvement in breach response.

These capabilities help comply with the requirements of the new Canadian data breach notification law and many others. For example, the new Canadian law requires notification to affected individuals “as soon as feasible” after the company determined a breach occurred. While the law doesn’t provide a specific timeframe—a compliance inconsistency and challenge we pointed out in our Data Privacy Regulations eBook—it seems that this is designed to give companies time to thoroughly detect what information was hacked.

While this is intended to give companies the right amount of time to research what happened before reporting it, such ambiguity could lead to possible compliance issues down the road. For example, companies may believe they have more time that the regulation intended. 

Again, the Myricom ARIA SDS platform and nVoy Series could help avoid such an issue. It provides auditable proof of the exact impact of the data breach, including when it started/ended, what devices were affected, what critical databases or files were accessed, and more—all can be completed within hours of a verified breach.

With ARIA Cybersecurity solutions, organizations are successfully accelerating incident response times and improving their breach response capabilities and ensuring compliance with increasingly stringent data privacy regulations, including the Canada data breach notification law.

Interested in learning more? Visit our nVoy Series page.

About ARIA Cybersecurity Solutions 

ARIA Cybersecurity Solutions recognizes that better, stronger, more effective cybersecurity starts with a smarter approach. Our solutions provide new ways to monitor all internal network traffic, while capturing and feeding the right data to existing security tools to improve threat detection and surgically disrupt intrusions. Customers in a range of industries rely on our solutions each and every day to accelerate incident response, automate breach detection, and protect their most critical assets and applications. With a proven track record supporting the Department of Defense and many intelligence agencies in their war on terror, and an award-winning portfolio of security solutions, ARIA Cybersecurity Solutions is committed to leading the way in cybersecurity success.

Tags: data breach, cybersecurity, intrusion response, data protection, intrusion detection