New regulations on data breach response



Published on January 23, 2019

Since the year 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) has been in place to govern how companies across Canada collect, use and disclose personal information. This governance mandates that the privacy commissioner be notified of breaches of safeguards. As of November 1, 2018, PIPEDA has required mandatory breach notification, which forces companies to also directly inform their customers and third parties, such as law enforcement, who can help mitigate the impact on affected individuals.

This amendment is obviously a strong incentive for companies to ensure they keep data safe and secure in order to protect consumers and the company itself. It is also crucial to be aware that cyber criminals are increasingly targeting small to medium-sized businesses, which are often viewed as soft targets when it comes to stealing personal information—it’s no longer just the large banks or retailers that need to worry. CFOs bear a heavy responsibility regarding this matter.


What is a data breach?

A data breach is the unauthorized access, theft or modification of information. And even if your information hasn’t left your premises—your company may not even know if anything has been stolen—the fact that your systems were infiltrated constitutes a breach that must be reported.

Where do these attacks come from, anyway? It varies and tracking down the original source is complex. But, frankly, companies often don’t want to spend the time and money identifying who’s on the other end of the keyboard. Instead, they prioritize identifying the hole, fixing it and recovering from the incident. Often, the expectation is that an investigation into the individual(s) involved will be taken care of by law enforcement, but due to sheer demand, it could take a considerable amount of time before they can investigate, which limits the chances for a successful outcome.

The new regulations apply whether the breach was committed by an external source or an internal employee. And insider involvement is rising at an alarming rate. In fact, recent research shows that 25% of data breaches are due to some form of insider involvement. It could be anyone from an IT department employee, who can access HR records or payroll data, to the cleaners, who have access to the office at night.

Why would someone from within the organization do it? Quite simply, crime pays. With the rise in the use of the dark web, criminals, from the comfort of their own homes, can very easily sell stolen information in order to monetize it. And some employees are proactively offering their insider services on the dark web as they are compensated by criminal elements in return for their company’s data. They provide stolen information, passwords to key systems and they even install viruses. Yes, people are actually marketing their insider abilities—and they are exactly the individuals hackers are looking for. It’s very shockingly straightforward.

Other insiders may be motivated by self-preservation: extortion is actually happening and criminals often use threats of exposing people’s secrets, activities and personal associations to force them to serve as an insider.


What are the costs of a breach?

The responsibility for managing a company’s cyber risk ultimately lies with the board and, if there is no board, it falls to the senior executives. And, of course, all employees in an organization and all of its third parties have a role to play in cyber security. Everyone should stay up to date on security threats such as phishing and ransomware. Employees should know how they can do their part in countering breaches and, in the event an incident occurs, what their role is in terms of response and recovery.

CFOs in particular are integral to preventing cyber security incidents and recovering from them if one occurs. It’s crucial that the CFO understand what’s required, including helping to quantify the potential damage or impact of incidents on the organization. For example, if there is a ransomware attack and systems go down for 10 days, the CFO has to be able to help the business translate that into a dollar figure and identify the true cost of the cyber incident.

This includes the immediate costs of the incident response and the help of forensic professionals to stem the problem, but there are many other hidden or potential costs, e.g., an increase in insurance premiums; an interest-rate increase on debt if the company’s credit rating is downgraded; fees for a PR firm to manage the crisis; and fees for attorneys. These are just a few examples. The following table provides a more detailed breakdown:


Data breach impact factors


What are best practices for mitigating risk?

First, you must identify your organization’s “crown jewels.” Crown jewels refer to the information that is essential for your organization to remain operational and differentiate itself from the competition. In addition to crown jewel data, organizations should also look at the information they manage that, while perhaps not essential to their business, would have a material impact in the event of a breach. For example, HR may store resumes for years, even those of people it never interviewed or hired. The disclosure of that personal information could result in a material breach requiring the organization to endure the same kind of operational, financial and reputational impacts as a breach involving their crown jewel data.

CFOs play a key role in risk management, working closely with business stakeholders to quantify losses of specific events and determining long-term and systemic impacts associated with an incident.

Next, an organization should identify applicable regulatory, legislative and commercial agreements and look for requirements to both protect data and notify in the event of its loss.

The organization must then develop a security program based on a recognized framework such as ISO or NIST to address their data protection and management requirements, including how to manage a breach if one occurs. Do you have an incident response plan in place? If so, is it detailed enough? Too often, these response plans are high-level and do not focus on the specifics. The response plan should have a variety of operating procedures for various situations (e.g., the response to a data breach would differ from the approach to a ransomware attack). And once you have a comprehensive plan—that is effective and defensible post-incident—you must test it frequently.

It’s critical to run realistic simulations with key third parties as well. Security management is often outsourced, whether via backups or the cloud, which means security incidents can be more complicated to manage since policies may not be aligned. And perhaps your third-party supplier does not have good policies. Maybe it doesn’t even need to notify you if it is hacked, and you may not be able to access its information so that you can carry out a forensic investigation in the event of a security breach.

Far too often, a third party is at fault when something goes wrong, but it’s the organization that brought them in that pays the price—it’s their name that appears in the media and it’s their reputation that’s on the line. Additionally, legislation doesn’t discriminate. So make sure that whatever you do internally in your organization maps to the same processes provided by third parties.


What’s the bottom line?

CFOs have the ability to take a long-term look to identify the cost of cyber security incidents and to work with business leaders to balance the risk versus the reward. Do you invest $2 million on security controls? If you don’t, what’s the cost of not implementing such controls? An organization might say they’d rather minimize risk by spending a few hundred thousand on cyber insurance, which could help offset the costs of an incident. Or they may buy a larger policy to cover much more.

So, once risks are identified, they can be avoided, accepted, reduced or transferred. But an organization must be able to determine what the actual cost of any losses would be. It’s the CFO who is instrumental in providing the information needed for the organization to make the call.




Kevvie Fowler

Kevvie Fowler
Kevvie is a partner and the National Resilience Leader at Deloitte. He is the author of the books Data Breach Preparation and Response and SQL Server Forensic Analysis, and is a contributing author of several risk management and cyber security publications.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.