Privacy & Security Policies & Notices
The first thing you need to know when developing a privacy program for your start-up or small company is what privacy laws apply to you and your customers. Start-ups face a bewildering array of privacy legislation, especially if you are selling your products and services across Canada and/or internationally. In Canada alone, there are more than 30 separate federal, provincial, and territorial privacy laws in effect. Depending on the location of your business and who you are selling to, different privacy laws apply to your business.
For example, if you are selling directly to consumers or private businesses, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) may apply to you. If you are selling to healthcare providers in Canada, as many as 12 provincial and territorial health privacy laws may apply to you and your customers.
Privacy laws set the ground rules for information management. If you’re setting up a privacy and security program for your start-up or enterprise for the first time, we’re here to help guide you through each step of the process.
You must publish a Statement or Notice of Information Handling Practices to comply with notice requirements in privacy legislation. A Privacy Notice or Statement informs customers and individuals about your organization’s information handling practices.
Our team of privacy and security experts can help you develop a suitable Privacy Notice or Statement for your website.
The purpose of an information security policy is to guide your organization’s leadership, employees, and contractors on matters concerning the management of information security. This includes ensuring the protection of all information system assets (including, but not limited to, all computers, mobile devices, networking equipment, software, and data) and the mitigation of risks associated with the theft, loss, misuse, damage, or abuse of these assets.
We help our clients develop, finalize, and implement policies.
Privacy and Security
Cybersecurity is the use of policies, processes, programs, and technologies to protect data, technologies, networks, and systems from unauthorized access, exploitation, or attack. Cybersecurity aims to reduce risk, protect organizations against cyberattacks, and prevent cybersecurity breaches.
Information privacy is the right of an individual to control the collection, use, disclosure, and retention of their personal information.
Privacy by Design (PbD) is a concept developed by former Privacy Commissioner of Ontario, Dr. Ann Cavoukian. Privacy by Design (PbD) was developed in the 1990s to address the ever-growing and systemic effects of information and communication technologies and large-scale networked data systems. Privacy by Design (PbD) asserts that privacy assurance must be designed as part of an organization’s default mode of operation. Previously, privacy was assured solely by compliance with legislation and regulatory frameworks in most businesses.
The objectives of Privacy by Design (PbD) are to ensure individuals’ privacy and to help them gain personal control over their information while helping organizations gain a sustainable competitive advantage. The seven foundational principles of Privacy by Design (PbD) are:
- Proactive not reactive; preventative not remedial. PbD anticipates and prevents privacy-invasive events. It does not wait for privacy risks to materialize.
- Privacy as the default setting. PbD seeks to deliver the maximum degree of privacy by ensuring that personal data is automatically protected in any given IT system or business practice.
- Privacy embedded into the design. Privacy is embedded into the design and architecture of IT systems and business practices. Privacy becomes an essential component of the core functionality being delivered.
- Full functionality. Positive-sum, not zero-sum. PbD accommodates all legitimate interests and objectives in a positive-sum, “win-win” manner.
- End-to-end security – Full lifecycle protection. PbD extends throughout the entire lifecycles of the data involved from start to finish.
- Visibility and transparency – Keep it open. Whatever the business practice or technology involved, it must operate according to the stated promises and objectives and is subject to independent verification.
- Respect for user privacy – Keep it user-centric. PbD requires architects and operators to keep the interest of the individual top of mind by offering measures like strong privacy defaults, appropriate notice, and empowering user-friendly options.
While the PbD principles provide a useful framework for building privacy into products and services, system developers need more. Specifically, developers need clear and unambiguous requirements, an understanding of available privacy and security controls, and an approach to privacy and security protection based on real risks to personal health information.
Security is the use of policies, processes, programs, and technologies to keep your business, technologies, and information safe from dangers or threats.
First, information privacy is important because it is the law. It’s a subject that nobody thinks about until something goes wrong. It is critical that businesses comply with all of the relevant privacy laws in their jurisdiction and demonstrate due diligence so they can avoid privacy breaches and violations of customer privacy rights. Information privacy can also help build trust in your organization and foster a strong reputation. By safeguarding information and prioritizing privacy, businesses can foster greater adoption of new or existing technologies. As a result, privacy can help create a competitive advantage for businesses and can enable digital disruption for new technologies. When information privacy is not managed well, it puts organizations at risk and can lead to a security breach, which is extremely costly for organizations and their customers, investors, and board of directors.
Privacy and Security Assessments
A Privacy Impact Assessment (PIA) is a structured risk management methodology that looks at the environment in which your app or device will operate, how it is used, and how data flows through the technical and business processes. A PIA will help you understand the privacy risks associated with your products and services. You do not want to over-engineer your app or device. A PIA will help identify real hotspots where privacy and security countermeasures may be needed. A PIA is also an important marketing tool because it quickly communicates your privacy safeguards to your customers and demonstrates that you prioritize privacy.
We conduct privacy impact assessments (PIAs) for our client’s products and services. We can also update a past PIA.
A security threat and risk assessment (TRA) is the process of identifying and mitigating threats and risks to the confidentiality, integrity, and/or availability of information. A TRA involves identifying what information is at risk, determining the relative magnitude of the risk, and decoding what to do about the risk. The goal of risk management is to ensure that risks remain within acceptable limits and that the cost of countermeasures is affordable. A TRA is a collaborative process where representatives of various groups within the organization develop a shared understanding of threat and risk requirements and options. TRAs provide evidence to customers and regulators that your business has applied the appropriate security due diligence to its products and services.
We conduct security threat and risk assessments (TRAs) for our clients’ products and services. We can also update a past TRA.
Privacy and Security Awareness Training
More than 90% of privacy breaches are caused by human error. Privacy and security awareness training reduce security related risks by 60%. Privacy and security awareness training helps make your team your first line of defense by teaching them how to avoid common errors, like phishing scams, weak passwords, and careless behaviour online. Privacy and security awareness training is also important because privacy laws mandate that organizations handling personal health information provide regular privacy and security awareness training to all of their employees and contractors.
Privacy and Security Certifications
What are the benefits of information security management system certifications and accreditations?
- The certification process will help your team identify gaps and risks. We will help you implement the necessary information controls to manage risks and/or to help eliminate them. It will help you secure all of your data more effectively, minimizing the risk of a cybersecurity data breach.
- Our certification team will work with your team to develop a customized solution, giving you the flexibility to adapt information and security controls to some or all areas of your organization to ensure that the resulting information security management system meets the specific needs of your business.
- Achieving a certification helps demonstrate your business’ commitment to global best practice. By demonstrating your business’ commitment to security, you can help your business gain trust from your clients, stakeholders, and partners, demonstrating due diligence and excellence in data protection.
- By demonstrating compliance and achieving certification status, your business is set apart for its excellence in information and security management, which will give your business a competitive advantage and may help you gain status as a preferred vendor or supplier.
ISO/IEC 27001 is the international standard for information security management.
ISO/IEC 27001 certification demonstrates a business’ commitment to global best practice and their commitment to security. The certification standard helps organizations establish and implement a certified information security management system, helping organizations secure their data more effectively and minimizing the risk of a cybersecurity data breach.
What types of information security related certifications or accreditation can PHI help my business achieve?
- ISO/IEC 27001 Certification
- SOC 2 Certification
- CyberSecure Canada
Certification preparation is a significant undertaking. Working with our certification team will save your team a lot of time because we compile all of the necessary documents for you and create a customized information security management system framework that meets the unique needs of your business. Our team of privacy and security experts have experience helping many other businesses achieve their certifications, so we can anticipate what will be reviewed and what evidence auditors will be looking for. Certification preparation can take approximately 80% of an individual’s work hours in a year if they are not experienced at preparing for an information security management system certification or accreditation. This is a costly time commitment for organizations that do not have a team of dedicated privacy and security professionals on staff.
Privacy and Security Features
- Identified purposes. App developers must identify the exact purposes for which information is collected, used, and disclosed, and they must be open and transparent with users about these purposes. They must ensure that the information is not collected, used, or disclosed for any other purpose.
- Meaningful consent. Every app must have a way of capturing meaningful consent (i.e. not a long, multi page, legal speak form with an “I agree” button at the end). The consent should be written in plain language and the consent process should be completed before any personal information is collected.
- Data minimization. The app should only collect, use, and disclose the minimum amount of data needed for the identified purposes. Features, such as cameras, voice recorders, and location trackers, should be disabled unless they are required for the identified purpose of the app.
- Data encryption. All personal information associated with the should be encrypted at all times using a strong encryption algorithm. This includes data at rest in the device, data in transit, and any backend system and database.
- Access control. Rigorous access control processes must be in place to manage access to the app and its associated data. This includes end-user roles (i.e. customer/patients) and admin roles (i.e. app developers and support personnel).
- Identification and authentication. Robust identification and authentication methods must be applied. This includes strong passwords and multi-factor authentication where appropriate.
- Monitoring and audit. Audit-logging capability must be built into the app to track access to personal information and to enable detection, investigation, and response to private and security breaches.
Privacy and Security Incidents
Your business should establish policies and protocols to prevent, detect, contain, and respond to privacy and security incidents. There are three critical steps in managing a privacy incident. First, you will need to complete a security incident report. Second, you need to ensure that the incident is closed. Finally, you need to communicate and implement an action plan for remediation and recovery to all of those involved and implicated by the security breach. In this final step, you must notify all individuals, customers, and regulators of the security breach and the actions you are taking to mitigate harm. Depending on your business, your organization’s breach management protocols may need to be coordinated with the protocols established by your customers.
We’re here to support your team every step of the way as you manage a privacy or security incident. Whether you need help preparing and preventing incidents from ever happening or responding to a security breach that has already occurred, our team is ready to help.
To avoid ransomware and mitigate damage if you are attacked, follow these tips:
- Back up your data. The best way to avoid the threat of being locked out of your critical files is to ensure that you always have backup copies of them, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup. This protects your data and you won’t be tempted to reward the malware authors by paying a ransom. Backups won’t prevent ransomware, but they can mitigate the risks.
- Secure your backups. Make sure your backup data is not accessible for modification or deletion from the systems where the data resides. Ransomware will look for data backups and encrypt or delete them so they cannot be recovered, so use backup systems that do not allow direct access to backup files.
- Use security software and keep it up to date. Make sure all your computers and devices are protected with comprehensive security software and keep all your software up to date. Make sure you update your devices’ software early and often, as patches for flaws are typically included in each update.
- Practice safe surfing. Be careful where you click. Don’t respond to emails and text messages from people you don’t know, and only download applications from trusted sources. This is important since malware authors often use social engineering to try to get you to install dangerous files.
- Only use secure networks. Avoid using public Wi-Fi networks, since many of them are not secure, and cybercriminals can snoop on your internet usage. Instead, consider installing a VPN, which provides you with a secure connection to the internet no matter where you go.
- Stay informed. Keep current on the latest ransomware threats so you know what to look out for. In the case that you do get a ransomware infection and have not backed up all your files, know that some decryption tools are made available by tech companies to help victims.
- Implement a security awareness program. Provide regular security awareness training for every member of your organization so they can avoid phishing and other social engineering attacks. Conduct regular drills and tests to be sure that training is being observed.
We help our clients protect themselves and their businesses against ransomware.
Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations.
The average cost of a security incident is $5 million.
If you think your business has experienced a security breach, contact us immediately so we can help you manage, stop, and respond to the security breach.
Privacy and Security Laws
CPRA applies to data sharing, rather than selling, making it more broadly applicable to businesses. Businesses who bought, sold, or shared for commercial purposes the personal information of 50,000 or more consumers, households, or devices must comply with CPRA.
The GDPR applies to any organization that targets or collects data related to people in the EU. The GDPR applies to both organizations within the EU and organizations located outside of the EU who process or collect personal data related to people who reside in the EU (regardless of the company’s location).
HIPAA applies to healthcare providers, health plans, and healthcare clearinghouses for organizations that transmit healthcare data electronically.
Yes. All privacy control frameworks require that at least one person is designated as a Privacy and Security Officer within your organization. This individual is accountable for compliance with privacy law and for executing your organization’s privacy management program. This individual should be an officer of the company with the authority to ensure your business takes the necessary actions to fulfill your organization’s privacy management program.
PHIPA applies to health information custodians who are involved in the delivery of healthcare services as well as the agents, electronic service providers, and health information network providers who may provide services, manage data, or act on behalf of custodians.
There are more than 30 different pieces of privacy legislation in effect across Canada covering the public, private, and health sectors.
Our team has privacy and security expertise in multiple countries and jurisdictions. We can help your business comply with privacy laws in North America (Canada, the United States, and Mexico), Europe (including the UK), Australia, New Zealand, China, and Japan.
If my service providers claim that they are HIPAA compliant, does it mean my business is HIPAA compliant?
No. Your cloud service provider can help you meet many of the physical and technical requirements of the HIPAA Security Rule, such as secure data centers and networks. However, your business is ultimately responsible for your HIPAA compliance. Your business is responsible for administrative safeguards mandated by HIPAA, such as policies and procedures, risk management, monitoring and audit, and for application security, such as access control. Your cloud service provider gives little or no support for the requirements outlined in the HIPAA Privacy Rules through the BAA.
We can help ensure your business is HIPAA compliant. Get a free privacy assessment to find out if your business is HIPAA compliant.
HIPAA stands for the Health Insurance Portability and Accountability Act. Passed in 1996, HIPAA was designed to modernize the US health insurance industry by promoting the use of information technology in healthcare. HIPAA was augmented in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act that further promoted the adoption and meaningful use of health information technology.
US lawmakers recognized that concerns about privacy and security would be significant barriers to the adoption of technology in the health sector. In response, they enacted Privacy and Security Rules as part of HIPAA’s Administrative Simplification Regulations. Under HITECH, the Privacy and Security Rules were strengthened and two new rules, Breach Notification and Enforcement were added.
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).