Canada’s New Breach Notification Law: Preparation and Impact

On November 1, 2018, Canada’s Data Privacy Act amended the Personal Information Protection and Electronic Data Act (PIPEDA) to include Breach of Security Safeguards Regulations. Organizations subject to PIPEDA will now have to report breaches that pose “real risk of significant harm” to affected individuals to the Office of the Privacy Commissioner of Canada (OPC). What does this new regulation mean for organizations and how can they operate in a way that supports the regulation?

Why Did Canada Introduce a New Breach Notification Law?

The entire world is stepping up its game when it comes to privacy laws because of the continual growth of personal data sharing, unauthorized disclosures, and controversial uses of personal data. PIPEDA is Canada’s federal privacy law that regulates how organizations and businesses handle personal information. Like many privacy laws, it applies when personal information is collected, used, or disposed of for commercial purposes.

The purpose of PIPEDA is similar to that of GDPR or CCPA: to facilitate growth in electronic commerce by increasing the confidence of digital consumers, and to contribute positively to the readiness of Canadian businesses. PIPEDA aims to balance the privacy rights of individuals with the legitimate needs of business. Because so many Canadian organizations are required to comply with GDPR, this new regulation will further align PIPEDA with GDPR.

What Does My Organization Need to Know About Canada’s New Breach Notification Law?

If you’re not familiar with PIPEDA, Canada’s Data Privacy Act, or the new Breach of Security Safeguards Regulations, the following basic principles will help you understand the basics of Canada’s new breach notification law:

  • PIPEDA defines a breach of security safeguards as the loss of, unauthorized access to, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards or from a failure to establish those safeguards.
  • PIPEDA defines significant harm as bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, and damage to or loss of property.
  • Whether the breach of security safeguards impacts one individual or thousands, it still needs to be reported if there is a real risk of significant harm.
  • Under PIPEDA’s accountability principle, even if an organization transfers personal information to a third party for processing purposes, it’s still responsible for the security of that personal information. Organizations must have appropriate contractual agreements in place to ensure that the relationship complies with PIPEDA.
  • Under the Breach of Security Safeguards Regulations, the contents of notification must include the description and/or cause of the breach, date or period of the breach, description of the personal information that was breached, number of individuals impacted, what the organization has done to reduce risk of harm to victims, how the organization will notify the victims, and a point of contact for information about the breach.
  • When a breach has occurred, the organization must maintain a record for a minimum of 24 months.
  • Failure to report a breach that poses real risk of significant harm could result in fines of up to $100,000 for each individual affected by the breach, if the federal government decides to prosecute a case. Under the current law, the OPC cannot issue fines or corrective actions, only advise organizations on how to make changes.

How Can Organizations Prepare?

This new breach notification law was released in April 2018, but went into effect in November, giving organizations six months to prepare themselves. Some reasonable preparation steps for your organization include the following:

  • Create a formal incident response plan that has been tested and implemented.
  • Create breach notification templates that include fields for all required content.
  • Conduct a formal risk assessment to determine the likelihood of a breach and the factors that are relevant to real risk of significant harm.
  • Perform data mapping to determine where personal information is collected, processed, or stored.
  • Assess user access activities and consider operating under a business need to know basis.
  • Stay aware of other breaches in your industry and learn from them. Don’t make the same mistakes as your competitors.

More Resources

OPC’s Tips for Containing and Reducing the Risks of a Privacy Breach

OPC’s Self-Assessment Tool for Securing Personal Information

OPC’s Breach Report Form

Getting the Most Out of Your Information Security and Cybersecurity Programs in 2019

As organizations plan their information security and cybersecurity efforts for 2019, we often hear a lot of confusion and frustration about things like frameworks modifying their requirements, the cost of audits and assessments rising, scopes getting bigger, and testing seeming to get more difficult.

The threats will do nothing but persist in 2019. You need to do more to protect your organization. When prices or scope or frequency increases, here’s what we’re going to ask you: don’t you want more in 2019 than you got in 2018?

Root Causes of Data Breaches and Security Incidents

Some things stay the same. The root causes of data breaches and security incidents center around three areas: malicious attackers, human error, and flaws in technology. Let’s dive into how these areas impact your organization’s information security and cybersecurity efforts.

  • Organized criminal groups aren’t stopping; they’re only getting more sophisticated. They’re using tried and true techniques that continue to work on victims. There’s obviously financial motivation, but a malicious attacker could also be motivated by a political agenda, social cause, convenience, or just for fun.  
  • Employees will continue to be your weakest link. Verizon’s 2018 Data Breach Investigations Report states that one in five breaches occurs because of human error.
  • As if human error wasn’t bad enough, malicious insiders are even worse. 28% of cyberattacks in 2018 involved insiders.
  • Technology is a blessing and curse. Systems glitch and cause major data breaches and security incidents.
  • It’s almost impossible to run a business without involving third parties. Inevitably, third parties cause data breaches and security incidents, and your organization must deal with the consequences.  
  • Timing is everything when it comes to data breaches and security incidents, and hackers are usually quicker than your team. Ponemon’s 2018 Cost of a Data Breach Study reports that the average time to identify a data breach was 197 days in 2018. To actually contain the breach? 69 days.

These root causes, all connected to malicious attackers, human error, and flaws in technology, impact your organization’s information security and cybersecurity efforts in a significant way. Did you experience a negative impact from these areas in 2018? How are you going to mitigate the risks in these areas for 2019?

Cost of a Data Breach

There’s no denying that information security and cybersecurity efforts require a financial investment, but so do data breaches and security incidents. According to Ponemon, the average total cost of a data breach was $3.86 million in 2018 – a 6.4% increase from 2017. You can bet that in 2019, that number will grow again.

Organizations are usually surprised that the following elements drive up the cost of a data breach:

  • Loss of customers
  • Size of the breach
  • Time it takes to identify and contain a data breach
  • Effective incident response team
  • Legal fees and fines
  • Public relation fees
  • Information security and cybersecurity program updates

Take the City of Atlanta, for instance. When the SamSam ransomware attack hit in March of 2018, it was initially estimated to cost $2.6 million in emergency response efforts. Incident response consulting, digital forensics, crisis communication, Microsoft expertise, remediation planning, new equipment, and the actual ransom cost added up quickly. It’s now speculated that this ransomware attack cost $17 million.

As the cost a of data breach rises, so does the cost of information security auditing and testing. The threats are pervasive – how can you make a smart investment to avoid the cost of a data breach?

Your Plan for 2019

Now that you’ve learned about the persistent root causes of data breaches and security incidents, plus the cost of a data breach, what are you going to do about it in 2019? How are you going to modify your information security and cybersecurity efforts? Here are a few areas to consider as we head into a new year:

  • When was the last time you performed a formal risk assessment? Risk assessments can provide you with what we call the three C’s: confidence, clear direction, and cost savings.
  • If your weakest link is employees, how will you hold them accountable to their security awareness training?
  • Ponemon reports that when an organization has an incident response team, they save $14 per compromised record. Has your incident response plan been tested recently?
  • What security automation tools would be a valuable investment for your organization? According to Ponemon, security automation is a way to decrease the cost of a data breach because you’re able to identify and contain the attack faster.
  • Ask your auditing firm to educate you on what new cybersecurity testing exists and which relevant requirements will be changing in 2019.

No defense is 100% effective. There are no guarantees that a data breach or security incident won’t occur. Organizations must be vigilant in doing what they can to prepare, detect, contain, and recover from persistent and sophisticated threats. Auditing firms must also commit to providing quality, thorough services that will empower organizations to meet their challenging compliance objectives. At KirkpatrickPrice, that’s our mission and our responsibility. Contact us today to discuss how we can prepare your organization for the threats of 2019.

More Data Breach and Incident Response Resources

What Is an Incident Response Plan? The Collection and Evaluation of Evidence

[24] Cyber Incident: How Your Vendors Can Impact Your Security

Rebuilding Trust After a Data Breach

Horror Stories: Million Dollar Malware Losses

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

Data Privacy and Security in the US

According to Pew Research Center, 64% of American adults have experienced data theft. Yahoo, eBay, Equifax, Target, Anthem, Home Depot – it has become habitual to worry about data breaches, identity theft, and other privacy concerns. With every new headline of a data breach, it seems like consumers are losing more control over what personal information is publicly available.

At the same time, it’s nearly impossible to go through an ordinary day without sharing personal information. There are businesses out there that know where you live, how fast you drive, how many hours of sleep you got last night, if you’re on-budget for the month, what type of music you listen to, how many times you’ve tweeted this month, if you’re meeting your fitness goals, and how many children you have – just to name a few categories. With the complexity and sophistication of the current threat landscape, regulators, lawmakers, and consumers must be more alert than ever. In 2018, numerous states have added or updated data privacy and breach notification laws, including:

  • The Alabama Breach Notification Act of 2018 went into effect on June 1, 2018 to heighten consumer protections.
  • Arizona amended its breach notification law, HB 2145, to expand the definition of personal information and refine notification timelines.
  • Colorado enhanced consumer protections through amendments to HB 1128, which went into effect on September 1, 2018.
  • Ohio passed The Data Protection Act, a scalable bill that focuses on businesses’ cybersecurity programs.
  • Iowa passed HF 2354 to regulate the protection of student information when used on an online service or application.
  • Louisiana amended Act No. 382 to create a more comprehensive data privacy and breach notification law.
  • Nebraska passed LB 757, a bill requiring “reasonable security procedures and practices” to provide consumer protection.
  • Oregon amended SB 1551 to extend the scope of its breach notification rules and went into effect on June 2, 2018.
  • The South Carolina Insurance Data Security Act, which goes into effect on January 1, 2019, emphasizes the need for cybersecurity programs and incident response plans in the insurance industry.
  • South Dakota enacted its first breach notification law in SB No. 62, effective on July 1, 2018.
  • Vermont passed 764, which will regulate data brokers’ information security program and data privacy practices.
  • Virginia extended its breach notification law, HB 183, to include information tax information.

The California Consumer Privacy Act of 2018 has stood out among state laws, though. Let’s discuss what this law is and why it is being perceived as the US equivalent of GDPR.

Introducing the California Consumer Privacy Act of 2018

In June, California Governor Jerry Brown signed into law AB 375, enacting The California Consumer Privacy Act of 2018 (CCPA). Despite opposition from industry leaders like Google, Verizon, Comcast, and AT&T, approximately 629,000 Californians petitioned to get the law on the ballot, and now, Californians have been granted the most comprehensive consumer privacy rights in the country. This is evidence that consumers want ownership, control, and security over their personal data.

The purpose of CCPA is to give consumers more rights related to their personal data, while also holding businesses accountable for respecting consumers’ privacy. Because of California’s reputation as a hub for technology development, this law speaks to the needs of its consumers which continue to evolve with technological advancements and the resulting privacy implications surrounding the collection, use, and protection of personal information.

For-profit businesses that do business in California and that fall under any of the following categories must comply with the CCPA:

(A) Have annual gross revenues of over $25,000,000,

(B) Buy, sell, or share the personal information of 50,000+ consumers per year

(C) Derive 50% or more of their annual revenues from selling consumers’ personal information

Has the GDPR Made Its Way to the US?

The European Union’s legislation, the General Data Protection Regulation (GDPR), has been a top regulatory focus of 2018, even among US companies. The first globally relevant data privacy regulation of its kind, GDPR is considered to be one of the most significant information security and privacy laws of our time. GDPR applies to any entity collecting, using, or processing personal data of any data subject in the EU, which means that the applicability of the law follows the data, wherever in the world that data resides.

California Consumer Privacy Act vs. GDPR: What Your Business Needs to Know

We do see some similarities between GDPR and CCPA, especially in their purpose and definitions. Both GDPR and CCPA are heavily focused on consumers’ desire for privacy and control over their personal information. After reviewing both laws, you’ll find regulators designed both to give consumers more rights and hold businesses accountable for respecting consumers’ privacy. You’ll also notice that the two laws’ definitions for the terms “processing” and “personal information” closely align.

Many of the best practices that organizations are using to comply with GDPR will be effective when beginning to comply with CCPA. Data mapping, documentation review, contract management – these activities will assist organizations in their compliance journeys. Additionally, CCPA may become a model for other state privacy laws or even a federal privacy law, so compliance with CCPA may give organizations an advantage for compliance with other state or federal privacy laws.

If GDPR or CCPA applies to your business, we encourage you to begin your preparation by following the data, starting the paper chase, performing thorough internal documentation review, and identifying which security standards are appropriate for your organization. Contact us today for more information on how to comply with state laws or GDPR.

More Resources

The Cost of GDPR Non-Compliance: Fines and Penalties

10 Key GDPR Terms You Need to Know

What NY CRR 500 Means for Vendor Compliance Management

What is Cybersecurity?

Horror Stories: Facebook Fallout

In late September, Facebook gave a new security update, outlining a breach that has impacted 50 million users – Facebook’s largest breach ever. The social network has been under intense scrutiny this year after the Cambridge Analytica scandal and has been redirecting their security team since the departure of their chief security officer, Alex Stamos. With the midterm elections coming up, this massive breach couldn’t have come at a worse time for Facebook. Users, regulators, lawmakers, and competitors are watching to see how Facebook improves the way it handles the private data of its users and how the social network giant handles this latest breach. Many believe it is time for the government to step in, and others are focusing on the GDPR implications of this breach.

Facebook’s Largest Breach: What Happened?

Even this early on in the investigation, Facebook knows that the attack stemmed from the “View As” feature, which impacted access tokens. Specifically, hackers exploited a combination of three bugs: one in a post composer for birthday posts, one in a new version of a video uploader, and one when using the “View As” feature in conjunction with the video uploader. In their security update, Facebook reported, “When using the View As feature to view your profile as a friend, the code did not remove the composer that lets people wish you happy birthday; the video uploader would generate an access token when it shouldn’t have; and when the access token was generated, it was not for you but the person being looked up. That access token was then available in the HTML of the page, which the attackers were able to extract and exploit to log in as another user. The attackers were then able to pivot from that access token to other accounts, performing the same actions and obtaining further access tokens.”

To quickly fix the vulnerability, Facebook reset the access tokens of the 50 million impacted accounts, plus reset another 40 million accounts as a precautionary measure. As a result, users had to log back into their account, then see a notification in their News Feed explaining the security incident. Facebook also switched off the “View As” feature during their security review. As the investigation continues, Facebook must provide transparency about three elements of this breach: if accounts or data were misused, who the attackers were, and if third-parties were impacted.

Facebook needs to clearly announce whether accounts were misused or if any private information was accessed during this breach. All we know so far is that the attackers retrieved basic profile information like name, gender, or hometown. Guy Rosen, vice president of product management at Facebook, explained in a press call, “…We don’t know exactly how – which and how – what information we will find has been used. What we’ve seen so far is that access tokens were not used to access things like private messages, or posts, or to post anything to these accounts and we’ll update as we learn more…what we also can confirm is that no credit card information has been taken. We do not display credit card information, even to account holders.”

The public also wants to know who these hackers are and who they’re supported by. Guy Rosen explained in a press call, “Given this investigation’s still early, we haven’t yet been able to determine if there’s specific targeting. It does seem broad and we don’t yet know who is behind these attacks or where there’s base – or where they might be based…The investigation is early, and it’s hard to determine exactly who was behind this, and we may never know. This is a complex interaction of multiple bugs that happened together. It did – it did need a certain level in order for the attacker to run this attack in a way that not only gets access tokens, but then pivots on those access tokens and continues to further – get further access tokens using this mechanism.”

Facebook must also investigate if any third-party services that use its single sign-on function were impacted by this breach. So far, Facebook hasn’t found evidence of third-parties becoming compromised. Thousands of companies use this identity provider function, like Spotify, Instagram, Airbnb, Pinterest, GoFundMe, Headspace, and others. Guy Rosen stated that WhatsApp users are not impacted by this breach, but Tinder has called on Facebook for transparency and full disclosure during their investigation to better support third-parties in their own investigations.

Midterm Elections, GDPR Implications, and Facebook’s Reputation

There seems to be two conversations surrounding Facebook’s latest breach: how this attack reflects Facebook’s preparation for the midterm elections and how this attack needs to be handled in terms of GDPR.

With the midterm elections coming up and the Cambridge Analytica scandal in the rearview, users, regulators, lawmakers, and competitors are watching to see how Facebook is protecting itself from election interference. In fact, two weeks before this breach, Mark Zuckerberg posted Preparing for Elections, a blog post addressing exactly that – Facebook’s defense against election interference. It calls for enforcement over fake accounts, the spreading of misinformation, and advertising transparency and verification. It also speaks of coordination with governments and industries across the globe. Zuckerberg wrote, “While we’ve made steady progress, we face sophisticated, well-funded adversaries. They won’t give up, and they will keep evolving. We need to constantly improve and stay one step ahead. This will take continued, heavy investment in security on our part, as well as close cooperation with governments, the tech industry, and security experts since no one institution can solve this on their own.”

In the wake of this latest breach, is Facebook’s defense plan enough?

With GDPR in mind, Facebook notified the FBI and the Irish Data Protection Commission of this breach. Many suspect that if not for the GDPR’s breach reporting requirements, Facebook wouldn’t have notified the public about this breach until there were more details about the scope of who was impacted and where the attack came from. From the Irish Data Protection Commission’s tweets, we can gather that they are not satisfied with the level of detail provided in Facebook’s breach report. Organizations worldwide need to recognize how strict GDPR’s breach reporting requirements are and what penalties they could face.

During a press call, the New York Times asked Zuckerberg, “I’m just thinking back to your testimony in congress and one of the main points you made was if Facebook’s here to serve its users and if you can’t be responsible with user data then you don’t deserve to serve users. And I guess I’m just wondering if you still think you all are able to do that because it just — it seems like a pretty — another pretty big breach of user trust?” This is the exact question so many are wondering. If Facebook takes a hit from any more breaches or incidents, how will users, regulators, lawmakers, and competitors react?

More Resources

Facebook’s Morning Press Call Transcript

Facebook’s Afternoon Press Call Transcript

Twitter’s Election Integrity Update

7 Deadly Breaches of 2018 (So Far)

7 Deadly Breaches of 2018 (So Far)

With the complexity of the current threat landscape, organizations must be more alert than ever to potential data breaches. Who will be next? What happened? What will the fine be? While we’re only midway through 2018, we’ve seen headline after headline from organizations who have come forward to notify their customers of breaches. Let’s a take look at some of the top data breaches of 2018 to learn what went wrong and how you can prevent a costly data breach from occurring at your organization.

Under Armour

The data breaches of 2018 began with a household name. In March, Under Armour announced that it had become aware of a February data breach of its subsidiary fitness and nutrition app, MyFitnessPal. 150 million users’ data was acquired by an unauthorized party, ranging from usernames, email addresses, and hashed passwords. Fortunately, cardholder data was not compromised because that data is collected, processed, and protected separately.

What can we learn from this? Under Armour and MyFitnessPal’s incident response was timely and factual. Four days after discovering the data breach, MyFitnessPal notified their users and gave specific instructions of what to do next: change your password and look for suspicious activity on your account. What is your organization’s incident response plan?


While many data breaches of 2018 were due to malicious hackers, approximately 1.5 million SunTrust customers’ data was stolen by an ex-employee with the intent to share the records with a criminal third party. The compromised records included names, addresses, phone numbers, and account balances, but no PII like user IDs, Social Security numbers, account numbers, PINs, or driver’s license information.

What can we learn from this? Malicious insider threats need to be taken just as seriously as third-party threats. Establishing, implementing, reviewing, and updating policies that determine who has access to your organizations sensitive data is critical. The more employees who have access, the more risk there is. Are you operating on a policy of least privilege? How are you updating access to PII if an employee resigns, is terminated, or promoted?


Family networking and genealogy provider MyHeritage recently announced a data breach spanning from October 2017 to June 2018. A security researcher discovered a file containing email addresses and hashed passwords on a private server, impacting 92 million users, with no evidence that the information was ever used. MyHeritage reported that no other sensitive information was compromised because users’ cardholder information is not stored on MyHeritage systems and other types of sensitive data (like family trees and DNA data) are stored by MyHeritage on separate systems with added layers of security.

What can we learn from this? While no cardholder information or DNA data was compromised, the breach at MyHeritage underscores the need for organizations (and users) to utilize some type of multi-factor authorization.


In late June, a security researcher discovered that Exactis, a Florida-based marketing and data aggregation firm, left its database exposed on a publicly accessible server, leaving the data of nearly 340 million individual records visible. Aside from including basic contact and public information, the data also includes more than 400 variables on a range of specific characteristics: what religion a person belongs to, whether or not they smoke, what hobbies they’re involved with, etc. The company has yet to make a public statement about the breach but secured its database upon notification of the breach.

What can we learn from this? With GDPR compliance on the rise, the Exactis breach highlights the need for marketing firms to think about their data handling practices. This data breach also probes digital consumers to consider their data rights and what type of personal characteristics they want in the public. Phone numbers, home addresses, email addresses, interests and habits, the number, age, and gender of your children – it’s all out there.


In June, Ticketmaster UK discovered that its customer support chatbot software from Inbenta was hacked. We’ve now discovered that this breach exposed a much greater one: a massive credit card skimming campaign by the threat group Magecart. Magecart’s pattern seems to be targeting third-party software companies that build and provide code to their customers, who use the code on their website, and then Magecart hackers break in and alter the code so that it impacts every website that the code runs on. It’s reported that Magecart has compromised over 800 e-commerce sites worldwide. As the year goes on, we expect MageCart’s campaign to be recognized as one of the most damaging data breaches of 2018.

What can we learn from this? The importance of vendor compliance management cannot be overstated. In this breach, TicketMaster’s customer support chatbot vendor was the key MageCart needed to compromise their website. You’re putting a great deal of control and responsibility into vendor’s hands; in TicketMaster’s case, they put part of the security of their website in Inbenta’s hands.

Panera Bread

The Panera Bread data breach that came out this year is a bit puzzling, but that’s what makes it so interesting. In August 2017, a security researcher reported a vulnerability to Panera Bread, but the claim was dismissed. Apparently, Panera Bread didn’t even take the claim seriously enough to look into because eight months later, the bakery-cafe announced a data breach of their website that exposed thousands of customer records. This was only after KrebsOnSecurity broke the story, talked to Panera, and got them to take their website offline and fix the vulnerability. Trust us, there was a lot of back-and-forth between Krebs and Panera Bread before the issues were resolved.

What can we learn from this? It’s clear that security alerts and monitoring procedures were not appropriately implemented in this situation. Monitoring is a critical aspect of any information security program.


Timehop, a social media memory-sharing app, discovered a data breach where up to 21 million users were affected. The network intrusion occurred because an access credential to their cloud computing environment was compromised from a lack of multi-factor authentication. Within 2 hours of discovering the network intrusion, Timehop responded to the event.

What can we learn from this? Timehop’s incident response approach has been extremely transparent and accessible, one of the most thorough that we’ve seen after data breaches of 2018. In their security incident report, the company goes above and beyond the norm by apologizing, providing a technical report, outlining the number of GDPR records breached, answering FAQs, defining the terms used, and providing next steps for users.

As the year goes on, stay alert to learn about more data breaches of 2018, what caused them, how to respond, and how to learn from others’ mistakes. Have questions about incident response, breach prevention, or compliance requirements? Contact us today.