Business lawyer Jayden Quinn speaks about how to prevent and manage the data security breaches that plague so many businesses. Tune in to the full podcast to learn how to protect yours.
As Forbes states, a businessā second most valuable asset, next to its people, is its data. How are you protecting yours?
If you think youāll never have to worry about a data security breach, think again. It can happen whether you head up a large firm with an ironclad IT system or a small, local business.
Half of all businesses have already experienced a data security breach and cases continue to rise, yet most business leaders do not have an instant response plan in place. Itās a dangerous risk to take, as a cyber security breach could shut down your operations and have a widespread impact on your employees, customers, board members, and anyone else whoās on record of having interacted with your business.
The very thought might make you uneasy, though thatās not necessarily a bad thing.
āIt means youāre on your toes and youāre aware of the problem,ā says Andrew Buck, business lawyer at Avvocato Law in Winnipeg.ā
1. Inventory your data
Inventories arenāt just for tangible goods. All businesses should inventory their data, too.
āHow could you possibly understand the extent of the problem if you donāt know what information you have in the first place?ā Andrew asks.
2. Develop an incident response plan
It could be a hacker that shuts down your computers or a disgruntled employee selling information to your competitors (fun fact: 22 per cent of breaches come from within a company), but if it happensāyou need to know what to do, and quickly.
Contain
āYou need to shut off the tap,ā says Andrew.
That might mean reaching out to forensic experts or a systemwide reset, but your first job is stopping the flow of any more classified information.
Mitigate
The mitigation phase is where youāll look at how you can reduce the harm to those who have been affected by the breach. For instance, if the breach involved a leak of financial information, it might mean offering free credit monitoring for a year or two.
Notify
In Canada, youāre required to report privacy breaches or data security incidents that cross a certain thresholdāwhat is known in the legal world as real risk of significant harm. IT professionals, lawyers, and privacy regulators (find details at the Office of the Privacy Commissioner of Canada) can help you determine what that threshold is.
Canadaās privacy law (the Personal Information Protection and Electronic Documents Act, or PIPEDA) specifies that a breach report should be made as soon as feasible, as ināas soon as you get a grip on what happened. You can and should update your reporting as more details come in.
Andrew points to the case of Ashley Madison, a Canadian dating site for those who are married or coupled. It faced a significant security breach in 2015, with user data released to the public by hackers causing significant harm to individuals families and reputation. The Office of the Privacy Commissioner of Canada did a thorough investigation and its report, Andrew says, serves as an example of what is expected in terms of protecting privacy and data security.
3. Practice your incident response plan
Your incident response plan should not be a document that sits in a drawer and collects dust. Practice it, update it, and know it well, so youāre ready to put it into action as soon as you need to.
4. Protect the data youāre entrusted with
If youāre a board member, you may be privy to confidential company information. Andrew suggests seeking resources that provide guidance for boards, such as Canadian Securities Administrators (CSA), the Investment Industry Regulatory Organization of Canada (IIROC) and the Office of the Superintendent of Financial Institutions (OSFI).
5. Understand the threats
Ransomware is software that essentially holds your data hostage until you pay a sum to retrieve it. Still, thereās no guarantee paying that sum will get your data back.
The best thing you can do is to have a data backup and a disaster recovery system ready so you can bring your data back immediately. With ransomware attacks expected to increase by 100 per cent in 2022, itās important to know how to react should one happen.
6. Train staff
Andrew tells of an email he received from a regular client that read, āHereās the report you asked for.ā He hadnāt requested a report, so he responded to see if the email was legit. The client assured him it was. Andrew then forwarded the email to his companyās IT department and confirmed it was spam. Threats are becoming increasingly sophisticated. Andrew recommends training staff on how to identify threats, using different passwords for different applications, and picking up the phone if thereās uncertainty over an email. Two-factor authentication can weed out threats like the one Andrew experienced.