1-888-643-2217 Email ABEX
Keeping you updated

What the GDPR Means for Canadian Businesses

With the severity of cyber attacks increasing on what seems like a daily basis, governments are now stepping in to provide guidance and keep the general public both safe and informed.

In Canada, the Digital Privacy Act (DPA), which amends the Personal Information Protection and Electronic Documents Act (PIPEDA), is the federal law that dictates how organizations respond to and report data breaches. However, these are not the only cyber-related laws Canadian businesses have to contend with, as Europe’s data breach regulations can have a sweeping impact on international businesses of all kinds.

In fact, any organization that operates or sells in the European Union (EU) or manages EU-based information could face major fines if they fail to comply with the General Data Protection Regulation (GDPR). As such, it’s crucial for organizations to have a general understanding of the GDPR and how to remain compliant.

What is the GDPR?

The GDPR, which comes into force May 25, 2018, is unique in that it is not simply limited to organizations that have a physical presence in the EU. Regardless of the location of a business, the GDPR applies to businesses that process personal data of EU-based individuals and:

  • Offer goods or services to an individual in the EU (even if those goods and services are offered at no charge)
  • Monitor the online behaviour of individuals from the EU

Based on these provisions, the GDPR can have a broad effect on organizations, regardless of their size, location or nature of operations. Effectively, those that trade in the EU or hold data of EU-based individuals must comply with the GDPR.

Fines and Compliance Requirements

Understanding the GDPR is important, especially when you consider that failing to comply can result in major fines and penalties—up to €20 million or 4 per cent of a company’s global annual turnover.

With the severity of these fines, just one GDPR violation can financially devastate an organization. That’s why it’s critical that companies understand what’s expected of them when it comes to GDPR compliance.

The following are five key features of the GDPR that businesses should be aware of:

1. Obligations for controllers and processors—The GDPR defines two distinct types of operations in its regulations—controllers and processors. The following are general definitions and standards that apply to these entities:

  • Controllers—Under the GDPR, any organization that collects, uses or discloses personal information of EU citizens may be considered a controller. Controllers are expected to protect the data of EU citizens and ensure that the processor who processes personal data on their behalf is also complying with GDPR rules. Controllers are also expected to conduct privacy impact assessments for any processing which is likely to result in a high risk and maintain records of all processing activities.
  • Processors—As mentioned above, processors process data on behalf of controllers. These entities must also implement appropriate safeguards, return or delete data once processing is complete, and notify the controller of any data breaches. Processors cannot subcontract any tasks without a controller’s permission.

2. Consent requirements—Per the GDPR, consent to process data must be given unambiguously by the owner of the data itself. Silence or inactivity does not constitute consent. In instances where an organization processes data for individuals under the age of 16, parental consent is required.

3. Mandatory data breach notifications—Following a data breach, affected individuals must be notified by the controller within 72 hours of the breach’s discovery. However, in instances where the breach could impact the rights and freedoms of affected individuals, the notification must be made without delay. Processors are also obligated to report the breach to the company that collects and/or controls the lost data.

4. Right to erasure—Per the GDPR, controllers are required to erase processed and/or stored personal data in the following situations:

If the data is no longer needed

If an individual objects to processing

If the processing was unlawful

5. Requirement for data protection officers—Under the GDPR, controllers and processors may be required to designate a data protection officer in the following scenarios:

  1. If data processing is carried out by a public authority or body
  2. If core activities involve regular and systematic monitoring of individuals on a large scale
  3. If core activities consist of large-scale processing of certain categories of data (i.e., data related to racial or ethnic origins, criminal convictions or political views)

While the above list outlines a number of the major GDPR considerations, it should not be used as a compliance guide. To review the final version of the regulation, helpful FAQs and summaries of key changes, visit the EU’s official website on the GDPR.

Ensuring Compliance

For organizations new to EU privacy laws, the GDPR can be overwhelming and confusing. Thankfully, Canadian businesses can do the following to ensure they are compliant and avoid potential fines:

  • Conduct a readiness assessment. Review the GDPR and determine if it applies to your business. If your organization determines that it’s subject to the GDPR, it’s important to evaluate how much EU data your business processes. Be sure to also examine the potential impact of the GDPR on your operations.
  • Identify compliance gaps. During your initial assessment, it’s important to identify any potential compliance gaps. In some cases, you may find that you are able to reduce your GDPR compliance burden by changing the way you store or track EU data.
  • Establish oversight. When it comes to GDPR governance, it’s important to take a structured approach. Continually document, model and coordinate potential GDPR issues and remediation strategies.
  • Implement a GDPR compliance program. After you’ve established key processes to identify compliance gaps, create a GDPR program to address potential concerns. This program should account for the following:
    • Governance
    • Policy management
    • Data life cycle management
    • Individual rights processing
    • Information security
    • Data breach management
    • Data processor accountability
    • Training and awareness
  • Remain prepared. Once your GDPR program is in place, conduct ongoing assessments to ensure continued compliance.

While the GDPR may be similar to PIPEDA and other privacy legislation in Canada, organizations should never assume compliance. Even if your business has well-defined data management practices and privacy policies in place, all organizations must review their current system for GDPR compliance issues and fill in any gaps.

Round Out Your Cyber Risk Management Program

In today’s environment, organizations process massive amounts of personal data every day. This data is a popular target for cyber criminals, and just one breach can result in serious financial losses and reputational damages.

If that weren’t enough, businesses that don’t respond to these incidents in accordance with federal and international privacy laws face hefty fines and penalties. To better protect your organization, it’s important to speak with a qualified insurance broker.

Not only can brokers provide general guidance on any applicable data breach laws, they can also help you round out your risk management programs with custom insurance policies.

© Zywave, Inc. All rights reserved


Ontario Pay Transparency Legislation Could Be in Force by Jan. 1

Overview

The government of Ontario recently announced legislation—Bill 203, the Pay Transparency Act, 2018—that would require employers to track and publish compensation information. The goal of this legislation is to close the wage gap between women and men in the province.

Bill 203, which would establish new requirements for increasing hiring and payment practices transparency, has passed first reading and is making its way through the legislative process. The proposed legislation could be passed as early as Jan. 1, 2019.

In order to prepare for the legislation, organizations need to be aware of how Bill 203 could affect their business.

How Bill 203 Could Impact Your Business 

If passed, Bill 203 would impose a number of pay-related requirements on employers. Specifically, the bill would require the following:

  • Recruitment—Once in force, Bill 203 would prevent employers from asking for or seeking information regarding an applicant’s compensation history. However, applicants can volunteer this information if they are not prompted. During the recruitment process, employers would also be expected to provide a compensation range in publicly advertised job postings. Notably, these restrictions do not apply to any publicly available compensation information.
  • Transparency reports—If passed, Bill 203 would establish a number of reporting requirements related to compensation. Among these requirements, employers would have to publish pay transparency reports that highlight information related to the employer, its workforce composition, and compensation differences with respect to gender and other prescribed characteristics. In addition to submitting these reports to the government, employers would be required to post these reports online or in such a way that employees can easily view and access them. Specifics related to pay transparency reports, including their format and key features, will likely be finalized following a consultation period or once the legislation is passed.
  • Reprisal—One of the key features of Bill 203 is the way it prevents employers from taking retaliatory action. Under the proposed act, employers are prohibited from intimidating, dismissing or penalizing employees for doing either of the following:
    1. Inquiring about their compensation or pay transparency reports
    2. Giving information about the employer’s compliance or non-compliance with the bill’s requirements to the government

Enforcement measures will likely begin with Ontario’s public service organizations. After the initial consultation, the new rules will apply to employers with more than 500 employees, followed by employers with more than 250 employees. In addition, these new measures will work hand in hand with existing pay equity measures in Ontario, including the Equal Pay for Equal Work requirement found in the Employment Standards Act and the Pay Equity Act.

Once passed, the government may appoint compliance officers to conduct compliance audits. These audits could be performed without a warrant and monetary penalties would likely be enforced. While there is currently no official timetable, Bill 203 is primed to have a major impact on employer’s hiring practices and reporting requirements.

To learn more and read the current version of Bill 203, click here.

© Zywave, Inc. All rights reserved


ABEX Remains Independently Owned and Operated

It wasn’t us! Some of our brokers thought that ABEX Affiliated Brokers Exchange Inc. was a part of the acquisition by iA Financial Group. To clarify, it was ABEX Brokerage Services, an MGA serving life insurance and investment advisors in Western Canada that was involved in the acquisition.

We have no affiliation with either of the companies and remain independently owned and operated. Our brokers can now breathe a sigh of relief!

To read the article that prompted the broker inquiries, please click here.


Cryptocurrencies and What They Mean for Businesses

Technology has added efficiency and modern conveniences to daily life. Among these conveniences, computer experts have managed to apply digital traits to new, online currencies in what is called cryptocurrencies.

Simply put, cryptocurrency is digital money that operates independently of a bank and can be used similarly to cash around the world. Cryptocurrency is a relatively new way for businesses to accept and send payments to customers, vendors and suppliers. Despite concerns over cryptocurrencies, they aren’t likely to go away anytime soon as an alternative method of payment, investment or means of raising capital.

While it can be easy to get caught up in the excitement and potentially lucrative nature of cryptocurrencies, it’s important to understand how they work as well as their positives, negatives and risks.

How Do Cryptocurrencies Work?

While it may seem confusing on the surface, the way cryptocurrencies function is actually quite simple. Relying on encryption technology to make transfers, most cryptocurrencies are decentralized and work without administrators. This means that there is no central entity or authority that manages the creation and use of cryptocurrency.

Like most currencies used around the world, cryptocurrencies store value and have specific exchange rates. Cryptocurrencies are similar to commodities like gold or platinum in that they have a limited supply.

Bitcoin, one of the most popular cryptocurrencies, encourages users to participate in the system by rewarding additional bitcoins. In fact, this is the only way new bitcoins circulate.

To use cryptocurrencies, consumers and businesses must first acquire a cryptocurrency wallet account. These accounts work like a bank, but are designed specifically for individuals who want to purchase or accept cryptocurrency. Most cryptocurrency coins have an official wallet or recommended third-party wallets, and it’s important to conduct thorough research before choosing a service.

After you have acquired a wallet, you can purchase cryptocurrencies on open exchanges and use them for a variety of transactions. You can even convert cryptocurrencies to cash at a later date if you so choose.

The Positives and Negatives of Cryptocurrencies

Cryptocurrencies—and bitcoin in particular—have greatly increased in popularity over the past few years.

Japan declared bitcoin legal tender in 2017 and online services like Microsoft, Overstock and PayPal also accept the currency.

Before adopting cryptocurrency at your business, you must consider its potential benefits and drawbacks.

The Benefits of Cryptocurrencies

  • No processing fees—Unlike traditional forms of payment like credit cards, cryptocurrencies have no processing fees. This is because cryptocurrency transactions are facilitated through a decentralized ledger on what’s know as a blockchain. Transactions are recorded on the blockchain chronologically, and users can create, verify and enforce transactions without an intermediary or central authority.
  • High transaction speed—Credit and debit card payments often take two to three days to process and clear. With cryptocurrencies, transactions happen in real time and take about 10 minutes or less. As an added bonus, cryptocurrency transactions are final, which means consumers can’t dispute a charge and negate a sale.
  • Increased payment options—The more payment options you can provide as a business, the better. As such, cryptocurrency has the potential to attract a wider customer base.

The Drawbacks of Cryptocurrencies

  • Price volatility—The value of bitcoins and other cryptocurrencies can change drastically over a small period of time.
  • Anonymity—While the details of cryptocurrency users and transactions are often held in a public ledger, names and locations are encrypted. This can be an issue when complying with regulations on customer identification or fraud protection.
  • Cyber security—Cryptocurrencies exist digitally, and the proof of ownership is often limited to the private keys used to authenticate transactions. This makes cryptocurrencies a prime target for hackers, especially because many businesses aren’t aware of how to protect this new form of currency.

Should You Accept Cryptocurrency?

While global companies like Amazon and Microsoft accept cryptocurrency, that doesn’t necessarily mean it’s right for your organization, especially if you’re a small business. Before using cryptocurrency, it’s important to conduct adequate research and understand how it may impact your company. In addition, you should speak to a qualified insurance broker to determine how using cryptocurrency opens you up to new risks.

© Zywave, Inc. All rights reserved


The Overlooked Physical Exposures of a Cyber Attack

More than ever before, organizations are aware of the potential financial impact of a cyber attack. Many wrongfully assume that the steep, monetary burden of a cyber attack is exclusively tied to damaged digital assets, lost records, and the price of investigating and reporting a breach. While those expenses represent a considerable hit, damage to an organization’s physical assets can be just as harmful.

Cyber attacks that cause physical damage typically occur when a hacker gains access to a computer system that controls equipment in a manufacturing plant, refinery, electric generating plant or similar operation. After the hacker gains access to an organization’s machinery, they can then control that equipment to damage it or other property.

These types of events can lead to major disruptions and costly damages. To safeguard their physical assets, it’s critical that organizations understand what types of businesses and assets are exposed to these attacks.

What’s At Risk?

To better understand what kinds of physical losses can occur following a breach, it’s helpful to compare cyber attacks to a natural disaster or other industrial accident. Following these kinds of incidents, organizations often incur costs to repair and replace damaged equipment in addition to any lost revenue caused by the disruption.

Unlike natural disasters, however, cyber attacks that cause physical damage aren’t limited to a geographic location and can impact an entire network. This means that damages caused by a breach can be widespread, affecting multiple sectors of the economy depending on the target.

Because of this, cyber attacks that cause physical damage are often dynamic and extensive. When an attack on critical infrastructure occurs, it not only affects business owners and operators, but suppliers, stakeholders and customers as well.

Who’s At Risk?

Cyber attacks that cause physical damage—the targets, the assailants, the motivations and the means of the attack—are constantly evolving. Incidents can occur in a variety of ways, including phishing scams, internet exchange point attacks, breaches of unsecured and unencrypted devices, and even plots carried out by rogue employees.

When discussing these attacks, many experts cite power and energy sector organizations as the most at-risk. However, vulnerabilities also exist in utilities, telecommunications, oil and gas, petrochemicals, mining and manufacturing, and any other sectors where industrial control systems (ICSs) are used.

ICSs are open computer systems used to monitor and control physical processes as well as streamline operations and repairs. ICSs are not often designed with security as a primary consideration, which leaves them susceptible to attack. What’s more, for many automated processes, attacks don’t even need to cause physical damage to result in significant disruption and losses.

So, when it comes to the emerging risk of cyber attacks that cause physical damage, targets vary by industry and the damages can be extensive due to the interconnected nature of ICSs.

Real-world Examples

Because organizations are not always required to make cyber attacks that cause physical damage public, they largely go unreported. However, the following are a number of high-profile incidents that demonstrate how important it is to consider physical and infrastructure cyber exposures:

  • Ukrainian power grid attack—This was a multistage, multi-site attack that disconnected seven 110 kV and three 35 kV substations. Together, the attack resulted in a power outage for 80,000 people and lasted for three hours. Using only a phishing scam, the attackers were able to cause substantial, prolonged disruption to the economy and general public.
  • Saudi Arabian computer attacks—In these incidents, hackers destroyed thousands of computers across six organizations in the energy, manufacturing and aviation industries. Through a simple virus aimed at stealing data, computers were wiped and bricked. Not only did this mean critical business data was lost forever, but all of the damaged computers had to be replaced—a substantial fee for businesses of any size. This attack was similar to an attack on Saudi Aramco, the world’s largest oil company, which destroyed 35,000 computers.
  • Petrochemical plant attack—This attack targeted a Saudi Arabian petrochemical plant. The attack was unique in that it wasn’t designed to steal data, but rather sabotage operations and trigger an explosion. The only thing that prevented an explosion was a mistake in the attackers’ computer code. Had the attack been successful, the plant would likely have been destroyed and many employees could have died. Experts are concerned that similar attacks could be carried out across the globe.
  • Hospital ventilation attack—In this incident, a hacker was able to damage and control a hospital’s HVAC system using malware. This attack put the safety of staff, patients and medical supplies in jeopardy, as the hacker could control the temperature of the facilities at will.

Attacks causing physical damage will likely become increasingly common as technology advances and hackers continue to get more creative. Even more concerning is that these kind of attacks not only endanger a company’s data, reputation and finances, but human lives as well.

How Do I Protect My Organization?

Insurance coverage for cyber attacks that cause physical damage is still in its infancy, and your organization may have gaps in protection. Even if your property insurance policy includes physical or non-physical damage coverages, that does not necessarily mean you’re covered from first or third-party losses from cyber attacks.

The level of protection your company has depends largely on the structure of your policies. As such, it’s critical for businesses to do their due diligence and understand if their policies do the following:

  • Impose any limits on coverage, particularly as it relates to physical damage of tangible property
  • Cover an attack and any resulting damages
  • Provide contingent coverage for attacks that aren’t specifically targeted at the organization

While it’s important to speak with a qualified insurance broker about your cyber risk policy options, there are a number of steps businesses can take by themselves to protect their physical assets. In addition implementing a cyber risk management plan, business should consider doing the following to protect their data:

  1. Keep all software up to date.
  2. Back up files regularly.
  3. Train employees on common cyber risks and what they should do if they notice anything suspicious.
  4. Review your exposures and speak with your insurance broker to discuss policy options for transferring risk.

 

© Zywave, Inc. All rights reserved

 

 

 

 


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn