Not if, but when
Breaches are a fact of life in today’s cyberattack happy world. The Chartered Professional Accountants Canada reports that in addition to blue chip companies like BMO, CIBC, and Air Canada, estimates are as high as one in five Canadian firms have suffered a data breach and may not even be aware. And while the embarrassment and reputation damage associated with a breach is bad, the financial impact can be even worse, including:
- Significant legal fees
- Settlement monies
- Fees for crisis management and public relations
- Up to $100,000 CN in fines should you fail to report a breach to The Office of The Privacy Commissioner
Businesses of all sizes are being targeted, especially smaller and mid-sized firms who believe they may be below the hackers’ radar, and whose data security practices may be less well-resourced than at large organizations.
Why Data Breach Response Planning Matters
As of November 1, 2018 Canadian firms are required, per the Personal Information Protection and Electronic Documents Act (PIPEDA), to retain information pertaining to the breach for a minimum of two years.
This requirement for record retention is above and beyond the requirements for reporting the breach to all of the required national and provincial bodies, as well as to the affected consumers or businesses.
Having a formal response and recovery plan is critical to demonstrating defensible practices and is shown to help minimize risk and lessen financial impact and damages caused by an information security incident.