There are more than 30 different pieces of privacy legislation in effect across Canada covering the public, private, and health sectors.
If you think your business has experienced a security breach, contact us immediately so we can help you manage, stop, and respond to the security breach.
Your business should establish policies and protocols to prevent, detect, contain, and respond to privacy and security incidents. There are three critical steps in managing a privacy incident. First, you will need to complete a security incident report. Second, you need to ensure that the incident is closed. Finally, you need to communicate and implement an action plan for remediation and recovery to all of those involved and implicated by the security breach. In this final step, you must notify all individuals, customers, and regulators of the security breach and the actions you are taking to mitigate harm. Depending on your business, your organization’s breach management protocols may need to be coordinated with the protocols established by your customers.
We’re here to support your team every step of the way as you manage a privacy or security incident. Whether you need help preparing and preventing incidents from ever happening or responding to a security breach that has already occurred, our team is ready to help.
To avoid ransomware and mitigate damage if you are attacked, follow these tips:
- Back up your data. The best way to avoid the threat of being locked out of your critical files is to ensure that you always have backup copies of them, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup. This protects your data and you won’t be tempted to reward the malware authors by paying a ransom. Backups won’t prevent ransomware, but they can mitigate the risks.
- Secure your backups. Make sure your backup data is not accessible for modification or deletion from the systems where the data resides. Ransomware will look for data backups and encrypt or delete them so they cannot be recovered, so use backup systems that do not allow direct access to backup files.
- Use security software and keep it up to date. Make sure all your computers and devices are protected with comprehensive security software and keep all your software up to date. Make sure you update your devices’ software early and often, as patches for flaws are typically included in each update.
- Practice safe surfing. Be careful where you click. Don’t respond to emails and text messages from people you don’t know, and only download applications from trusted sources. This is important since malware authors often use social engineering to try to get you to install dangerous files.
- Only use secure networks. Avoid using public Wi-Fi networks, since many of them are not secure, and cybercriminals can snoop on your internet usage. Instead, consider installing a VPN, which provides you with a secure connection to the internet no matter where you go.
- Stay informed. Keep current on the latest ransomware threats so you know what to look out for. In the case that you do get a ransomware infection and have not backed up all your files, know that some decryption tools are made available by tech companies to help victims.
- Implement a security awareness program. Provide regular security awareness training for every member of your organization so they can avoid phishing and other social engineering attacks. Conduct regular drills and tests to be sure that training is being observed.
We help our clients protect themselves and their businesses against ransomware.
Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organization’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers, and can thus quickly paralyze an entire organization. It is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage and expenses for businesses and governmental organizations.
The average cost of a security incident is $5 million.
Cybersecurity is the use of policies, processes, programs, and technologies to protect data, technologies, networks, and systems from unauthorized access, exploitation, or attack. Cybersecurity aims to reduce risk, protect organizations against cyberattacks, and prevent cybersecurity breaches.
Security is the use of policies, processes, programs, and technologies to keep your business, technologies, and information safe from dangers or threats.
Privacy by Design (PbD) is a concept developed by former Privacy Commissioner of Ontario, Dr. Ann Cavoukian. Privacy by Design (PbD) was developed in the 1990s to address the ever-growing and systemic effects of information and communication technologies and large-scale networked data systems. Privacy by Design (PbD) asserts that privacy assurance must be designed as part of an organization’s default mode of operation. Previously, privacy was assured solely by compliance with legislation and regulatory frameworks in most businesses.
The objectives of Privacy by Design (PbD) are to ensure individuals’ privacy and to help them gain personal control over their information while helping organizations gain a sustainable competitive advantage. The seven foundational principles of Privacy by Design (PbD) are:
- Proactive not reactive; preventative not remedial. PbD anticipates and prevents privacy-invasive events. It does not wait for privacy risks to materialize.
- Privacy as the default setting. PbD seeks to deliver the maximum degree of privacy by ensuring that personal data is automatically protected in any given IT system or business practice.
- Privacy embedded into the design. Privacy is embedded into the design and architecture of IT systems and business practices. Privacy becomes an essential component of the core functionality being delivered.
- Full functionality. Positive-sum, not zero-sum. PbD accommodates all legitimate interests and objectives in a positive-sum, “win-win” manner.
- End-to-end security – Full lifecycle protection. PbD extends throughout the entire lifecycles of the data involved from start to finish.
- Visibility and transparency – Keep it open. Whatever the business practice or technology involved, it must operate according to the stated promises and objectives and is subject to independent verification.
- Respect for user privacy – Keep it user-centric. PbD requires architects and operators to keep the interest of the individual top of mind by offering measures like strong privacy defaults, appropriate notice, and empowering user-friendly options.
While the PbD principles provide a useful framework for building privacy into products and services, system developers need more. Specifically, developers need clear and unambiguous requirements, an understanding of available privacy and security controls, and an approach to privacy and security protection based on real risks to personal health information.
First, information privacy is important because it is the law. It’s a subject that nobody thinks about until something goes wrong. It is critical that businesses comply with all of the relevant privacy laws in their jurisdiction and demonstrate due diligence so they can avoid privacy breaches and violations of customer privacy rights. Information privacy can also help build trust in your organization and foster a strong reputation. By safeguarding information and prioritizing privacy, businesses can foster greater adoption of new or existing technologies. As a result, privacy can help create a competitive advantage for businesses and can enable digital disruption for new technologies. When information privacy is not managed well, it puts organizations at risk and can lead to a security breach, which is extremely costly for organizations and their customers, investors, and board of directors.