PIPEDA & MDR: Breaches, Reporting and Advice

Changes to Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect November 1st. This regulation extends beyond the Canadian border to those companies doing business with (or ‘controlling data’ of) Canadians in most provinces. There are several stipulations about how data is handled, and most important to the people reading this will be those about data breaches. Note that the government specifically calls out that the regulation applies to small businesses. Below, we describe how our MDR clients are a step ahead, with three ways we can help organizations deal with these new regulations.

Fewer Breaches to Disclose

One of the new stipulations within PIPEDA (detailed here) is that organizations are required to report breaches involving personal information under their control. Note that disclosure is required only for breaches for which there is a Reasonable Risk of Significant Harm (RRoSH) to those impacted. Ultimately, this is designed to reduce the fallout of a breach (e.g., personal data being revealed).

Our Managed Detection and Response (MDR) service helps prevent breaches in the first place, by detecting suspicious behaviour and other indicators of compromise (IOCs) that signature-based technologies may have missed – and responding to them. We achieve this through a combination of dedicated Threat Hunters who are proactively looking for threats, rigorous processes in place for them to leverage, and our proprietary technology stack enabling them to prioritize and respond to the most relevant ones first.

So, you can mitigate the risk of fallout by detecting and responding to threats before any data is exfiltrated; thereby removing the need to report the breach.

Greater Visibility/Information to Report

Another stipulation: you must retain records of all breaches, whether there is RRoSH or not, for two years from when you discover them.

(Read more...)

*** This is a Security Bloggers Network syndicated blog from IntelliGO MDR Blog authored by Adam Mansour. Read the original post at: https://www.intelligonetworks.com/blog/pipeda-and-mdr-breaches-reporting-advice