In the wake of the Facebook data scandal, the Canadian Government announced quietly, that the long-anticipated Canadian data privacy law – the Personal Information Protection and Electronic Documents Act (PIPEDA) will come into force on November 1st, 2018. The Digital Privacy Act (DPA) was originally enacted as an amendment to PIPEDA in August 2015 and provided guidelines as to what Canadian companies must do when there is a data breach, but it lacked any teeth with respect to requirements around notification.
While we read about data breaches all over the world, impacting the largest of organizations – how many Canadian data breaches come to mind? Well, you can probably recount all of them in one hand and this could be due to the fact that there’s no law that compels Canadian companies to notify, but now, that’s finally going to change. (The exception is Alberta, the only province with a statutory breach notification requirement already in place.) Details of the final regulations have yet to be announced but mandatory breach reporting to the Federal Privacy Commissioner is becoming a clear requirement with penalties for failure to notify.
With PIPEDA coming into effect, many Canadian organizations will finally come to realize that they are on the hook for protecting their data otherwise they could face stiff financial and public repercussions.
Over the last several years, after speaking with many Canadian organizations from a variety of industries, I was very surprised to discover that the majority of them did not have a web application firewall (WAF) to protect their web applications and thought that their web applications were secure. Common responses were, “My <network firewall / IPS / service provider> takes care of that” but usually after a few more questions, it becomes evident that their web application is pretty much “naked” on the public Internet.
If you’re an organization operating in today’s digital economy, it’s highly likely you’ll have:
- a website,
- customers that use your website, and
- a database storing your customer’s personal information behind that website
A minimalist web application security strategy requires at least a WAF which would provide basic protection against many of the common application-layer OWASP Top 10 threats that hackers may employ to steal data. Of course, secure development, patching, vulnerability assessments, pen-testing, etc. are all very important part of an overall security strategy but a properly managed web application firewall should be considered as a critical component of any web application strategy, especially the case if you’re storing customer or employee PI. It comes as no surprise that over the last 3 annual reports (2016-2018), the Verizon Data Breach Investigations Report (DBIR) disclosed that web application attacks accounted for more data breaches than any other category of attacks.
While PIPEDA and the data breach notification amendments will not prescribe specific technologies to safeguard any PI under the care of your organization, they indicate that you need to have a Privacy Officer, i.e. someone responsible for privacy and the deployment of privacy policies in support of PIPEDA. From a security perspective, both the GDPR and PIPEDA puts the onus on organizations to ensure that the necessary safeguards are in place to protect PI. A security policy must be in place to protect PI, appropriate security technologies, e.g. firewalls should be implemented to protect PI and proper measures must to be taken to address known vulnerabilities. But in comparison to the EU’s GDPR, Canada is both late to the game and a bit short in terms of penalties for breach notification.
The GDPR comes full force on May 25th. Breach of obligations under PIPEDA is proposed to be capped at $100,000 CAD per incident while the GDPR can fine as much as €20 million, or 4% of total annual revenue for the preceding fiscal year – whichever is higher. While PIPEDA is not as stringent as GDPR, if you’re a Privacy Officer or CISO of a Canadian organization doing business with EU citizens, you better make sure your company is ready for both! For organizations just starting a privacy program to comply with PIPEDA, you need to review PIPEDA’s Privacy Toolkit and I highly recommend Dr. Ann Kavoukian’s approach: Privacy by Design.
In summary, web application data breaches are prevalent and if your organization has a web application that connects back to a customer database, you need to deploy a web application security strategy such as Oracle Dyn which provides a complete and integrated security platform including WAF, DDoS protection, API security, Bot Management and data sovereignty controls.