Published: August 22nd, 2018

After sitting on mandatory data-breach disclosure rules for three years, the federal government quietly pushed them through in March and gave impacted organizations a six-month lag period to prepare, but members of the Canadian channel community remain concerned about the vagueness within the laws that, to this day, haven’t been thoroughly explained.

The Digital Privacy Act amended some parts of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), including introducing a new data breach notification requirement that will come into effect on Nov. 1. Earlier this year, the Standing Committee on Access to Information, Privacy and Ethics asked to make significant amendments to PIPEDA – which was introduced in 2000 before Facebook but after Google was incorporated, targeting the commercial sector – in order for the legislation to reflect today’s digital age.

The update will require organizations to report to affected individuals and the Office of the Privacy Commissioner (OPC) regarding any security breach involving personal information that creates a “real risk of significant harm.”

But the OPC considers a wide-range of concepts when describing significant harm, including bodily harm, humiliation, damage to reputation or relationships and identity theft. Notification to affected individuals and reporting to the OPC, according to the legislation as it’s written now, is required “As soon as feasible after an organization determines that the breach has occurred.”

Matthew Tyrer, Commvault’s senior manager of solutions marketing for Americas.

That’s not good enough, says Matthew Tyrer, Commvault’s senior manager of solutions marketing for Americas.

“These terms are still very vague, and they don’t even have a definite timeline for when a response has to be made,” he told CDN. “They’ll have to tighten that up.”

Theo Van Wyk, chief technology officer of security at Scalar Decisions, agrees.

“We’re anxiously waiting to see exactly how these terms will be interpreted,” he tells CDN.

Until Nov. 1, breach reporting will remain voluntary, and while the updates to the Digital Privacy Act and PIPEDA are a step in the right direction, Tyrer suggests they should have been in place for years.

He’s not alone. Michael Geist, a University of Ottawa law professor, blasted the federal government for dragging its feet on the file. In an op-ed for the Globe and Mail back in March, Geist wrote that “The failure to expedite security breach disclosure rules is an embarrassing failure for successive Conservative and Liberal governments, placing the personal information of millions of Canadians at risk and effectively giving a free pass to companies that do not adequately safeguard their customers’ information.”

PIPEDA also doesn’t put enough emphasis on cloud infrastructure that helps better protect data, says Richard Losier, executive vice-president of technology for BriteSky Technologies, an Ottawa-based Commvault partner. He suggests the legislation should lean more into voluntary international standards, such as ISO 27001 and 27018, that set out best practices for personal information held by public cloud service providers.

“I’d like to see it combined with an ISO 27018 that puts it in a more tightly squeezed environment where the provider and the owner of data is able to do the right thing to protect the data before it actually leaves,” he says.

But despite the uncertainty around the latest amendments to privacy legislation in Canada, Losier says BriteSky and the larger enterprises it serves remain well-versed in providing flexible and secure enterprise cloud services and solutions for Canadian businesses.

Handing over the keys

BriteSky enterprise clouds and managed cloud services are built on the company’s modular Portable On-Demand Data Centre (PODD) cloud architecture, allowing organizations to scale that architecture and maintain complete control of their data at all times. Sometimes enterprises will have multiple networks that don’t necessarily communicate through a firewall, says Losier. That doesn’t fly.

“We sit there and say ‘no that’s not good enough’ so we’re going to give you extra visibility into your networks and force all the networks to flow through a firewall no matter what,” he explains.

Enterprises in Canada increasingly have their own security teams with personalized security tools and procedures, and they’re often good enough where BriteSky can hand over the keys to their data and cloud environments and simply layer on added visibility and search functions – enhanced by Commvault – to better meet Canadian legislation that, in November, will require a quick turnaround time for requested data. At this point, however, the enterprise customer, not BriteSky, is on the hook for data requests through PIPEDA, the European Union and its General Data Protection Regulations or a single customer.

“If [BriteSky] is doing managed services then yes, 100 per cent, the customer is telling me that they want us to take care of their backups for them, we have access to the data and we sit their at our 24/7 by 365 help desk and have the ability to recover that data anytime they want, very rapidly,” says Losier.

BriteSky’s close work with enterprises around cloud security and visibility has made them Commvault’s largest cloud provider in Canada, according to its president Joey Harrison.

For most larger enterprises, the Nov. 1 deadline is more of an opportunity to revisit procedures and make sure that they’re well-equipped to protect data, monitor threats and respond to them accordingly, says Scalar Decisions’ Wyk. Smaller organizations who deal with personally identifiable information may be further behind.

“When we work with our customers to prepare them, we look at their incident response plans and make sure they incorporate a public relations and a legal element into their incident response plan for notifying the appropriate parties,” Wyk explains, pointing to a common occurrence where the legal team and PR team are at odds with each other in terms of messaging around a data breach. “Then make sure you practice that response plan. Too often we find that customers have a response plan but it sits in the corner collecting dust.”