A cybersecurity breach can be a catastrophe for any business—but especially for a small or medium-sized business. Without the expertise, capital and resources often available to larger companies, dealing with the after effects of an attack can leave them in financial turmoil.
But a potential hit to business finances isn’t the only reason to be concerned about cybersecurity. Canadian businesses are also bound by federal legislation known as the Personal Information Protection and Electronic Documents Act (PIPEDA), which states that businesses must disclose details of any privacy breach to both affected individuals and the Office of the Privacy Commissioner of Canada.
From handling paperwork to navigating related public relations, here’s a rundown of exactly what this legislation means for your small business should you experience a breach.
What is PIPEDA?
First put into law in 2000 and then updated in 2015 and 2018, PIPEDA is a set of strict rules around the disclosure of security breaches to the federal privacy commissioner and parties whose data may have been compromised.
The legislation outlines 10 responsibilities all private sector organizations have, including measures on accountability, consent and safeguarding information. These guidelines apply not just to handling breaches, but also to the collection of data in general.
Under PIPEDA, rules on handling breaches apply to attacks of all sizes – whether a hack affects one person or 100,000 individuals, businesses are required to report it.
“Any breach that causes a customer significant harm, such as financial loss or mental distress, must be reported,” says Donna Millingen, underwriting expert at Northbridge Insurance. “That’s something that many small businesses may not know, and it can create problems for them in the event of an incident.”
“The legislation also requires that businesses keep records of every breach they experience, even if it doesn’t meet the significant harm threshold,” she adds.
While PIPEDA is federal legislation, it’s important to note that each province also has its own laws around privacy and data security – some of which supersede federal ruling. For example, Ontario, New Brunswick, Nova Scotia and Newfoundland and Labrador’s provincial laws are considered substantially similar to the federal law, so PIPEDA applies in those provinces. However, in Alberta, British Columbia, and Quebec businesses are bound by their provincial regulation.
How does this legislation apply to my small business?
PIPEDA applies to all private-sector organizations across Canada that collect, use or disclose personal information – anything from age and name to income, credit and loan records, medical history and ID numbers – in the course of a commercial activity.
“It doesn’t matter what type of business you run, or your industry,” Millingen says. “If you operate a private business, you’re subject to compliance.”
That means you are required to explain what information you are collecting from customers, why it’s being collected and how it will be used.
In the event of a breach, businesses must notify any individual whose personal information has been put at risk. They are also required to keep records of the incident.
“Reporting and notification is just one consideration,” Millingen says. “Depending on the nature of the incident, you may also need to engage forensic IT firms to recover data, public relations consultants to deal with media and technical specialists if hackers demand ransom payment. All that can consume a huge amount of time, money and resources for a small business.”
With such serious consequences, Millingen recommends that small business owners take a critical look at the information they collect and make sure that it’s absolutely necessary.
“If you don’t need it, don’t collect it,” she says. “And make sure that you’re following best practices when it comes to safeguarding the data that you do collect – not only to protect yourself from liability, but also to protect your relationships with customers and suppliers.”
What happens if my small business fails to follow this legislation?
Under PIPEDA, businesses have a legal responsibility to report breaches to the privacy commissioner and failure to do so can result in fines up to $100,000.
“That alone could be devastating to a small business, even before you consider the other costs associated with a breach response,” Millingen says. “And, if you conduct business outside of Canada, you can be subject to legislation and fines in other countries as well.”
Millingen notes that some cyber insurance policies now offer protection for regulatory fines, such as those under PIPEDA.
But there is more than just money at stake. Not reporting a breach can seriously undermine your customers’ trust in your business, causing a public relations nightmare.
“How you respond can make or break your reputation, and that can have long-term consequences for your business,” Millingen says. “That’s why it’s so important to make sure you’re planning for the worst-case scenario ahead of time, so you can react quickly and appropriately should a breach occur.”
If a customer is concerned that a business has failed to comply with PIPEDA regulations, they can file an official complaint with the privacy commissioner. Under the ombudsman model, the Office of the Privacy Commissioner will investigate the complaint, decide if due process was followed and make recommendations accordingly. A decision can then be taken to federal court if the customer wishes to sue.
In some significant cases, the privacy commissioner can also initiate a complaint against a business.
What can I do to protect my small business in the event of an attack?
If all of this sounds like a lot to take in, that’s because it is.
“The fact is that many businesses aren’t doing enough to protect themselves,” Millingen says. “And when a breach occurs, they’re not prepared to deal with all of the moving pieces.”
Small businesses with limited expertise and resources can take the hardest hit. “Most don’t have a forensics IT company or public relations expert on speed dial, so just knowing where to start can be overwhelming.”
For this reason, cyber-focused insurance policies are becoming increasingly popular as they can help a business not only address financial losses, but also the various responsibilities you have if an attack does occur.
Millingen recommends speaking with your insurance broker, who can help you understand your risks and make sure you have the proper coverage and support in place.
She also says that it’s important to think about how you would respond to an incident before one happens.
“Having that plan in place makes a huge difference,” she says. “This is the kind of thing that can shut you down permanently, but with the right preparation and insurance coverage, you can protect your business and survive a cyber incident.”
Advertising feature produced by Globe Content Studio. The Globe’s editorial department was not involved.