In November of 2018, Canada’s federal government announced new mandatory privacy breach reporting regulations for businesses in order to help protect the privacy of citizens and combat personal information either being stolen, sold (or both), to outside parties. Prior to the Personal Information Protection and Electronic Documents Act (PIPEDA), reporting privacy breaches was voluntary for businesses. Now, it is mandatory that all businesses that fall under the Act report any incidences of privacy violations that pose a significant risk to people. They also must inform the people involved of the episode and keep detailed records of all occurrences.
An article released through the Office of the Privacy Commissioner (OPC) a year ago details that since PIPEDA came into effect there were 680 breach reports, which is actually six times more than received during the same period the year before. This means that the program is working, and also that privacy breaches happen every single day. One of the more massive cases that the public is aware of is Desjardins’ data breach in 2019, which affected about 2.7 million people and 173,000 businesses.
Privacy breaches most often happen through human fault and error. It could just be a mistake made because of fatigue, or improper training in cybersecurity, or the person could be deliberately attempting to access information they should not be. The latter is exactly what happened with Desjardins, as it was an employee who leaked the names, addresses, birth dates, social insurance numbers (SINs), email addresses, and information about transaction habits of its members to a third party.
Another major privacy breach incident also happened last year, when Capital One was hacked and the personal information of 100 million Americans and six million Canadians was accessed. That’s a staggering number, and once that information is out there, it can be shared over and over and over again, meaning that victims must be hyper-vigilant for years to come.
What is privacy breach insurance?
As business owners, protecting the privacy of your clients and customers should be top of mind. Not only will this build your reputation as a trustworthy organization that delivers on its promises, it can also save you from extensive litigation costs. In the Desjardins data breach case, a class-action lawsuit was launched on the very same day they announced. Desjardins offered those affected free identity theft insurance and a credit-monitoring plan through Equifax to flag any potential incidences of fraud as quickly as possible. Capital One did the same, and also provided new credit card numbers as a precaution.
According to the Insurance Bureau of Canada, $10.2 billion was claimed by businesses in Canada last year because of privacy breaches. Privacy breach insurance can help mitigate the serious circumstances that can result from the loss, theft, or unauthorized access to clients’ accounts. It is available for businesses of any size, non-profit organizations, and co-operatives.
Claims coverage can account for expenses incurred for the proper notification of customers and authorities, and protect you from additional fraud that could be incurred through the breach. This may also include credit monitoring and forensic services.
Privacy breach insurance can include business interruption insurance that will account for losses specifically outlined in the policy, as well as third-party liability coverage, which will provide for obligations of compensation required through law, as well as legal expenses.
Your privacy breach insurance could also provide access to a third-party expert in cyber security and identity protection services who can provide counselling, crisis management, notification, remediation, media relations, and legal support in the case of a privacy breach.
Ways to avoid a privacy breach
In addition to data being lost or stolen through inadequate systems and/or human error, privacy breaches can also happen when hardware such as computers and phones are stolen. This can happen much more easily these days, as more and more people are working from remote locations other than the security of the office. Devices should never be left unattended and should always be locked with a secure password. Employees should also be told to never access secure drives, websites, or documents on any sort of public wifi.
For businesses, the OPC suggests the following to avoid a privacy breach:
- Know exactly what kind of private information you collect, how you store it, and who can access it. Keep the amount of people who are in charge down to a bare minimum.
- Never allow a third party to collect information on your behalf.
- Conduct risk and vulnerability tests often, keep your security systems up to date, and invest in a secure firewall.
- Be aware of other breaches and learn how they were carried out so you can implement anti-measures.
Keep information in the right hands only
The OPC stresses that keeping the number of those who have access to personal information down to a minimum is one of the best ways to avoid a privacy breach. To do this, you have to avoid employee snooping. Ways to do so include:
- Making privacy a priority. Tell all employees that the expectation is that they are extremely careful with all information at all times.
- Comprehensive privacy practices and extensive, continuous training are a must.
- Ensure there are consequences for snooping.
- Restrict access according to only what is needed to do the job.
- Keep access logs so you know who is doing what.
- Develop a system that will immediately flag inappropriate behavior.
Lane’s Insurance is here for all of your coverage needs
Lane’s Insurance works for you, not the insurance companies. We believe that customer service is still important to people, and work with numerous carriers to meet your coverage needs. As proud members of the Independent Insurance Brokers Association of Alberta, we are pleased to serve homeowners and business owners throughout Alberta. Contact us at: