1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

3/8/2023

0 Comments

The Risks of Using TikTok for Canadian Businesses: A Privacy and Security Analysis

 
businessman uses TikTok on his phone

TikTok has quickly become one of the most popular social media platforms among Canadians, with millions of users creating and sharing short-form videos every day. While the app was initially known for its popularity among young people, it has recently gained traction among businesses looking to connect with a broader audience. However, as with any technology, TikTok poses potential privacy and security risks for those who use it. Canadian businesses should be aware of these risks before jumping on the TikTok bandwagon.

This article will explore the risks associated with using TikTok for business purposes and provide tips and best practices for mitigating those risks.

Privacy Concerns on TikTok

Like any social media platform, TikTok collects significant user data, including location information, browsing history, and device identifiers. While TikTok has stated that this data is used to personalize the user experience and serve relevant ads, there is potential for this data to be mishandled or exploited.

For example, in 2020, TikTok was caught accessing the clipboard data of iOS users without their permission, raising concerns about the company's data collection practices. Additionally, there have been reports of TikTok sharing user data with the Chinese government, which has led to bans or restrictions on the app in some countries.

These privacy concerns are not just limited to individual users but also apply to businesses that use TikTok as a marketing tool. Suppose a business's data is compromised on TikTok. In that case, it could have serious consequences, such as damage to reputation, loss of customer trust, or legal repercussions. 

Therefore, Canadian businesses need to be aware of the privacy risks associated with TikTok and take steps to protect their data.

Security Risks on TikTok

In addition to privacy concerns, TikTok also poses potential security risks for businesses. The app's algorithm, which is responsible for suggesting content to users based on their interests, has been criticized for being easily manipulated. This means malicious actors could use the algorithm to spread fake news, propaganda, or other harmful content.

Furthermore, there have been reports of security breaches on TikTok, including phishing scams and malware attacks. These attacks can be especially damaging for businesses, as they may result in the theft of sensitive information or financial losses.

While TikTok has implemented security measures to mitigate these risks, it is ultimately up to individual users and businesses to take responsibility for their own security. By using strong passwords, enabling two-factor authentication, and monitoring for suspicious activity, Canadian companies can reduce the likelihood of security breaches on TikTok.

It is also important to note that TikTok's security risks are not unique to the app - businesses must be vigilant about security on all social media platforms and digital channels.

Mitigating Risks on TikTok

While the risks associated with using TikTok for business purposes cannot be completely eliminated, there are several steps that Canadian businesses can take to protect their privacy and security on the platform.

First and foremost, it is vital to review TikTok's terms of service and privacy policy before signing up. This will give businesses a clear understanding of how their data will be used and what measures TikTok has in place to protect user privacy and security.

Canadian businesses should also be mindful of the amount of personal or sensitive information they share on TikTok. This could include avoiding sharing confidential business information or personal employee data on the platform. Businesses should also consider limiting the amount of data that third-party apps or services have access to through TikTok.

Another important step for businesses to take is to use strong, unique passwords and enable two-factor authentication on their TikTok accounts. This will help to prevent unauthorized access to the account and protect against hacking attempts.

Finally, businesses should be vigilant about monitoring and reporting suspicious activity on TikTok. This could include monitoring for unusual login attempts or messages, reporting suspected phishing or malware attacks, and reporting any content that violates TikTok's community guidelines.

By following these tips and best practices, Canadian businesses can reduce the risks associated with using TikTok for business purposes and protect their privacy and security on the platform.

Specific Areas of Concern in TikTok's Terms of Service

TikTok's Terms of Service outline the platform's policies and guidelines for users. Here are some areas of concern related to privacy and security:

  1. Collection of Personal Data: TikTok collects a significant amount of personal data from its users, including their location, browsing and search history, device information, and content they create and share. While the company claims that this data is used to personalize the user experience and improve the app's functionality, it raises concerns about the potential misuse of this data.

  2. Sharing of Personal Data: TikTok may share user data with third-party companies, including advertisers, business partners, and service providers. While the company claims that it only shares this data for specific purposes, it raises concerns about the potential for this data to be misused or compromised.

  3. User-generated Content: TikTok's Terms of Service state that user-generated content may be used and shared by the company for promotional purposes, without providing any compensation to the user. This raises concerns about the ownership and control of the content that users share on the platform.

  4. Security Measures: While TikTok claims to have implemented security measures to protect user data, there have been reports of security vulnerabilities and data breaches. This raises concerns about the platform's ability to protect user data from unauthorized access or misuse.

Overall, TikTok's Terms of Service raise significant concerns about privacy and security, particularly related to the collection, sharing, and use of user data. It is important for users to be aware of these risks and take appropriate steps to protect their personal information.

Conclusion

TikTok has become a popular marketing tool for Canadian businesses looking to connect with a broader audience. However, it is essential to recognize that the platform also poses privacy and security risks that should be addressed. In this article, we have discussed the potential risks associated with using TikTok for business purposes, including privacy concerns and security risks, and provided tips and best practices for mitigating those risks.

Canadian businesses should be aware of these risks and take steps to protect themselves on TikTok, including reviewing TikTok's terms of service and privacy policy, minimizing the amount of personal or sensitive information shared on the platform, using strong passwords and enabling two-factor authentication, and monitoring and reporting suspicious activity.

While TikTok can be a valuable marketing tool for businesses, it is crucial to recognize that these risks are not unique to the platform. Both large and small companies must be vigilant about privacy and security on all digital channels and social media platforms. By taking the necessary precautions and staying informed about the latest security threats, Canadian businesses can use TikTok safely and effectively.

0 Comments

12/7/2020

0 Comments

Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million

 
canada proposed privacy law fines

Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million

The federal government of Canada, through the Office of the Minister of Innovation, Science and Industry, has proposed a new privacy law for the private sector that aims to impose a stronger fine on organizations that remiss in protecting the privacy of Canadians.

The new proposed privacy law called the “Consumer Privacy Protection Act (CPPA),” also known as the Digital Charter Implementation Act, 2020, aims to impose administrative fines of up to 3% of global revenue or $10 million, whichever is higher, for non-compliant organizations. This new proposed privacy law also aims to impose fines for certain serious violations of the proposed law of up to 5% of global revenue or $25 million, whichever is higher.

Section 57, paragraph 3 of the Digital Charter Implementation Act, 2020 states that “security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.”

"The COVID-19 pandemic has accelerated the digital transformation, which is changing how Canadians work, access information, access services, and connect with their loved ones,” said Navdeep Bains, Minister of Innovation, Science, and Industry. “This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology, we need a system where they know how their data is used and where they have control over how it is handled.”

Right to be Forgotten

The new proposed privacy law has its own version of the principle of "Right to be Forgotten." This right, also known as the right to erasure, gives individuals the right to ask organizations to delete their personal data.

The Digital Charter Implementation Act, 2020 gives Canadians the ability to demand that their personal information on platforms, including social media platforms, be permanently deleted in case when consent is withdrawn or when information is no longer necessary.

Canada’s Major Data Breach

In November 2019, LifeLabs, Canada’s largest provider of general diagnostic and specialty laboratory testing services, informed the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) that cybercriminals gained entry into the company’s systems, extracted data and demanded a ransom. LifeLabs informed the IPC and OIPC that the data breach affected systems that contained information of approximately 15 million LifeLabs customers (nearly half of Canada’s total population), including names, physical addresses, email addresses, customer usernames and passwords, health card numbers, and lab tests. The vast majority of these affected customers are from British Columbia and Ontario.

A joint investigation conducted by IPC and OIPC found that LifeLabs failed to protect the personal information of millions of Canadians resulting in a significant data breach in 2019. According to the two offices, LifeLabs failed to take the following reasonable steps:

  • Protect the personal health information in its electronic systems;
  • Adequate information technology security policies in place; and
  • Collected more personal health information than was reasonably necessary.

The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia both ordered LifeLabs to implement a number of cybersecurity measures to address the company’s shortcomings. Despite their findings, however, the two offices didn’t impose financial penalties on LifeLabs as there’s no law that allows them to.

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” said Michael McEvoy, Information and Privacy Commissioner of British Columbia. “This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”

In a separate statement, LifeLabs said that as a result of the cyberattack, it took several measures, including retrieving the data by “making a payment.” The company, however, didn’t mention how much it paid to the attackers.

The company also didn’t mention ransomware. While the LifeLabs cyberattack has the markings of a ransomware attack, it isn’t confirmed whether the attack was a ransomware attack. 

Traditionally, ransomware attacks encrypt victims’ files, locking out victims from these files. Ransomware attackers then demand ransom from victims in exchange for the decryption keys that would unlock the locked files. Majority of today’s ransomware attackers also demand an additional ransom payment in exchange for the non-publication of the stolen data gathered during the ransomware attack.

Personal Health Information Protection Act (PHIPA)

On March 25, 2020, the Ontario government amended the Personal Health Information Protection Act (PHIPA), Ontario’s health privacy law. Once implemented, Ontario will be the first Canadian province to levy monetary penalties against individuals and companies that contravene the province’s health privacy law.

The amendment to PHIPA doubles the maximum fines for an offense to $200,000 for individuals and $1,000,000 for corporations. The amendment also mandates that an individual be imprisoned up to a year for an offense.

“Perhaps most significantly, once regulations are in place, my office [Information and Privacy Commissioner of Ontario] will be given the power to levy monetary penalties against those who contravene our health privacy law, including for breaches, such as those resulting from abandoned records,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “Privacy commissioners across the country have been calling for the power to impose administrative penalties, and Ontario will be the first to enshrine it into legislation.”

0 Comments

11/7/2019

0 Comments

Data Breach Reports Skyrocket After Implementation of Canada’s Privacy Law

 
canadian privacy law

Data Breach Reports Skyrocket After Implementation of Canada’s Privacy Law

 

The recent report from the Office of the Privacy Commissioner of Canada showed that data breach reports in Canada skyrocketed after the implementation of the mandatory data breach reporting required under the country’s privacy law.

Mandatory Data Breach Reporting

On November 1, 2018, organizations across Canada became subject to the mandatory data breach reporting under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Prior to the mandatory data breach reporting, data breach reporting was done on a voluntary basis.

Organizations subject to PIPEDA are required to report to the Office of the Privacy Commissioner of Canada any data breaches that pose a real risk of significant harm to an individual or individuals. The law also requires that the affected individual or individuals should be notified and records of all data breaches should be kept within the organization.

The Numbers After One Year of Implementation

Last November 1st, one year after the implementation of the mandatory data breach reporting, the Office of the Privacy Commissioner of Canada reported that breach reporting “skyrocket”, increasing six times the volume that the office had received during the same period one year earlier. According to the Office of the Privacy Commissioner of Canada, from November 1, 2018 to October 31, 2019, a total of 680 breaches were reported to the office, affecting over 28 million Canadians.

The Office of the Privacy Commissioner of Canada said that while some of those reports involved well-known corporate names, a significant volume came from small and medium-sized businesses.

Fifty-eight percent or 397 of the reported breaches, which made up the majority of reported breaches, involved unauthorized access, the Office of the Privacy Commissioner of Canada said. Key factors behind breaches resulting from unauthorized access were social engineering hacks and malicious insiders.

According to the Office of the Privacy Commissioner of Canada, more than one in five or 147 data breaches reported over the past year involved accidental disclosure, which includes sending critical information to the wrong person as a result of incorrect email or postal address or accidental exposure.

The Office said roughly one in four of the reported breaches involved social engineering attacks such as phishing and impersonation. In phishing attacks, attackers send malicious emails containing malicious links or attachments. Once this malicious link or attachment is clicked, it installs malicious software (malware) on the email receiver’s computer.

Impersonation

In impersonation, the tactic used in business email compromise (BEC) scams, fraudsters convince employees at an organization that they are someone. In a BEC scam, a fraudster impersonates via a spoofed email, for instance, a CEO and convinces an employee of an organization to release a certain amount to a bank account controlled by the fraudster.

According to the Office of the Privacy Commissioner of Canada, it observed a growing impersonation scam in the telecommunications industry. In the tactic known as SIM swap, an impersonator convinces a customer service representative of a telecommunication company into believing that he or she is an account holder. Successfully convincing a customer service representative, enables the impersonator to make changes to the account, including the change of a phone number to be assigned to a new SIM card controlled by the impersonator, allowing the impersonator to access other accounts.

In related information, the U.S. Federal Bureau of Investigation (FBI) recently issued an alert to its partner organizations warning them about SIM swap. According to the FBI, between 2018 and 2019, SIM swap is the most common tactic used by malicious actors in bypassing the two-factor authentication (2FA), which resulted in draining the bank accounts of the victims and passwords and PINs changed.

Notable Reported Breaches

The reported breaches at the financial cooperative Desjardins and financial holding company Capital One are two of the notable breaches over the past year as these two breaches affected millions of Canadians. The Desjardins data breach, which was initially announced in June 2019, affected 4.2 million Canadians; while the Capital One data breach, which was initially announced in July 2019, affected 6 million Canadians.

Desjardins attributed the data breach to one suspect, a former employee; while Capital One attributed the data breach to a “specific configuration vulnerability” in its public cloud infrastructure – a vulnerability that was exploited by one suspect, a former employee of the public cloud infrastructure, the Amazon Web Services (AWS).

Amazon, for its part, said in a statement, “AWS was not compromised in any way and functioned as designed.” The company added that the Capital One data breach, which also affected 100 million individuals in the United States, wasn’t a result of a vulnerability in the cloud server itself, but by a misconfiguration of firewall settings on a web application, managed on the cloud server by Capital One.

Preventive and Mitigating Measures Against Data Breaches

The Office of the Privacy Commissioner of Canada offers the following cyber security measures in order to prevent or mitigate the effects of a data breach:

  • "Know what personal information you have, where it is, and what you are doing with it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it!
  • "Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities? Over the last year, the OPC [Office of the Privacy Commissioner] has seen each of these scenarios lead to a breach. Identify your organizations’ weak points before a breach identifies them for you!
  • "Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news. Don’t be the next vulnerable target!”
0 Comments

1/16/2019

0 Comments

NASA Data Breach May Have Put Personnel Information at Risk

 
nasa data breach

NASA Data Breach May Have Put Personnel Information at Risk

In December 2018, news broke of a data breachat NASA. This is just one of the many cybersecurity issues to strike large organizations and businesses in recent months, including Facebook, Marriott and more.

It’s believed the attack may have compromised personnel data, potentially making Social Security numbers vulnerable. The breach was first discovered in October, in servers containing personally-identifiable details of NASA staff, though it was kept from staff for nearly two months.

Obviously, this is a major problem that no doubt inspired dread in anyone who believed they may have been affected. Sadly, it’s an ongoing risk when hackers continue to utilize ever-more sophisticated techniques to bring networks down or simply steal valuable information.

At the time of writing, the extent of the breach was still unknown but was assumed to affect both current and former NASA personnel (including those connected to NASA as far back as 2006).

However, such a breach may not be a surprise to anyone following NASA closely, as its cybersecurity has been flagged for its flaws in the past. Its Office of Inspector General had indicated there were problems with NASA’s entire IT management and security processes overall — something that no company of any size can afford to overlook.

The Importance of Effective Cybersecurity

For something as vast and well-known as NASA, cutting-edge security is essential to both defend against and deter potential attacks. Not only is the data of personnel under threat, but NASA is involved in a large number of important projects, and any interference, delays or disruptions could have significant repercussions.

An audit conducted at NASA’s Security Operations Center (based in California) revealed that it was underperforming in multiple ways. A reportfrom the Office of Inspector General concluded that the Security Operations Center had ‘fallen short’ of its purpose: to act as the driving force behind NASA’s cybersecurity efforts.

Lapses in management can affect cybersecurity in every company: a proper structure must be established to address potential risks, ways to manage attacks when they happen and strategies for handling the aftermath.

The NASA breach demonstrates that even technological powerhouses, responsible for some of the most mind-bending feats in history, may still fall prey to cyber-attacks.

Common Cybersecurity Pitfalls

It’s vital that your business or organization takes steps to avoid common pitfalls that essentially open the door for hackers to step into your network and help themselves to almost anything they like. What are these dangers and how do you address them?

A lack of education

Sadly, human error is one of the biggest culprits in cybersecurity flaws. While we might all like to believe we’re smart enough to stay safe online, it’s easy to make small mistakes with big consequences.

Weak passwords increase a business’s risk of attack, and all employees should be made aware of this. Likewise, sharing sensitive data with others and falling for common phishing scams can all reduce your company’s security.

This is why comprehensive education is so essential today. Even if you have intelligent staff who know their way around all of your tools and software, they could still make one tiny error that brings your entire network down.

Data breaches can chase existing and prospective customers away to competitors offering greater stability. Research shows consumers expect companies to keep their details safe, and 70 percent would walk awayfrom a brand if their finances were affected by a data breach the business should have prevented.

Undertake expert training for all staff, at every level, to minimize cybersecurity dangers. When your employees know how to create strong passwords, keep sensitive data private and spot phishing risks, you can offer customers a higher standard of protection against threats.

Depending on outdated security

Don’t leave your security software outdated — make sure you always update to the latest version and take full advantage of the defenses it offers.

While it can be easy to assume any form of firewalls and other programs designed to keep you safe will repel attacks, that’s not the case. Cybercriminals are well-versed in tiny flaws and know how to exploit them to gain access to systems, no matter how minor such gaps may seem.

If you know your security is weaker than it should be and hackers could find an obvious way into your network, take steps to address it immediately. You can’t depend on outdated software to stop the most up-to-date attacks.

Physical security oversights

Not only is effective cybersecurity fundamental to protect your employees’ and customers’ data, but physical security is just as important.

Your business site must be equipped with the best protection you can afford. Surveillance cameras, alarms, sensors, smart locks — utilize anything and everything available to keep your workplace safe from unwanted visitors.

Why? Because apart from the obvious problems related to theft, any laptops, USB sticks, hard drives or devices stolen from your office could all contain invaluable data. Thieves may either use this themselves or sell it on to cybercriminals set to target your personnel or clients.

Untrustworthy employees

Certain members of staff could seize an opportunity to steal sensitive data from your system and pass it on to others.

This may be for profit or out of a malicious aim to disrupt your operations, perhaps if they feel they have been mistreated or are due to leave the company. Whatever the circumstances, anyone with access to important information could cause major problems for your business if left unchecked.

While such individuals can cover their tracks and avoid suspicion for a long time, make sure you stay vigilant. Encourage employees to be aware of potential risks posed by colleagues and understand how important it is to report any suspicions they have.

Looking to learn more about how effective cybersecurity can protect your business from hackers in 2019? Want to work with a team of cybersecurity experts with the tools, training and techniques to help your company’s system stay secure?

Just reach out and get in touch!

0 Comments

9/12/2017

0 Comments

Gov’t of Canada Moves Closer to Implementing Mandatory Data Breach Reporting

 
Mandatory data breach reporting

Gov’t of Canada Moves Closer to Implementing Mandatory Data Breach Reporting by Publishing the Proposed “Breach of Security Safeguards Regulations”

The Government of Canada published last Sept. 2 the proposed “Breach of Security Safeguards Regulations” in the Canada Gazette. The official publication signals the approaching implementation of the mandatory data breach reporting under Canada’s Digital Privacy Act.
 
The Digital Privacy Act, a law that amended Canada’s private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), was passed by the Canadian Parliament on June 18, 2015. While it has been over two years since the passage of the Act, the law is still not in force in the absence of “Regulations” that lays out the specific details of the law. 

Digital Privacy Act

Under the Digital Privacy Act, every Canadian organization is required to do the following in case of a data breach:
  1. Notify the Privacy Commissioner of Canada
  2. Notify the affected individuals
  3. Maintain a record of the data breach
Organizations could face fines of up to $100,000 for failing to notify the affected individuals and the Privacy Commissioner of the data breach under the Digital Privacy Act.

Proposed Breach of Security Safeguards Regulations

​The proposed Breach of Security Safeguards Regulations specifically laid out the specific steps on how to notify the Privacy Commissioner, the affected individuals and the particulars of maintaining a record of the data breach.
 
Under the proposed Breach of Security Safeguards Regulations, an organization affected by the data breach must notify the Privacy Commissioner in writing and provide the following details:
  • Description of the circumstances of the breach and cause, if known
  • Data breach period
  • Description of the personal information that’s breached
  • Estimates of the number of individuals affected
  • Description of the “steps that the organization has taken to reduce the risk of harm to each affected individual resulting from the breach or to mitigate that harm”
  • Description of the “steps that the organization has taken or intends to take to notify each affected individual of the breach”
 
The proposed Breach of Security Safeguards Regulations also requires an organization to inform the affected individuals directly via by email, letter, telephone or in person. Indirect notice via a message posted on the organization’s website for at least 90 days or advertisement that’s likely to reach the affected individuals is an option under the proposed Breach of Security Safeguards Regulations in the following circumstances:
  • Giving of direct notification would result in further harm
  • Cost of giving of direct notification is “prohibitive for the organization”
  • The organization doesn’t have contact information for the affected individuals or the information that it has is out dated
 
Under the proposal, notice to individuals – whether direct or indirect notice –must contain the following information:
  • Description of the circumstances of the breach
  • Data breach period
  • Description of the personal information that’s breached
  • Description of the “steps that the organization has taken to reduce the risk of harm to the affected individual resulting from the breach or to mitigate that harm”
  • Description of the “steps that the affected individual could take to reduce the risk of harm resulting from the breach or to mitigate that harm”
  • Toll-free number or email address that affected individuals can contact to obtain further information about the breach
  • Information about the affected individual’s right under the organization’s internal data breach complaint process and under the Digital Privacy Act.
 
The proposed Breach of Security Safeguards Regulations further requires an organization to maintain a record of every data breach for a period of 24 months. Under the proposed Regulations, it isn’t clear when it will come into effect. Both the Digital Privacy Act and Breach of Security Safeguards Regulations will, however, take effect on the same day.
 
Interested persons have until October 2, 2017 to give feedback regarding the proposed Regulations.

Benefits of Mandatory Data Breach Reporting and Mandatory Data Breach Record-Keeping 

​The enforcements of the Digital Privacy Act and Breach of Security Safeguards Regulations or the mandatory data breach reporting and mandatory data breach record-keeping are expected to bring about the following benefits: 
 
1. Prevent Identity Fraud
Mandatory data breach reporting is expected to “contribute positively to the privacy and security of individuals” according to Charles Taillefer, Director for Innovation, Science and Economic Development Canada. He said, “Mandatory breach reporting allows individuals who are affected by a breach to take immediate action to protect themselves against further compromise that may lead to fraud, identity theft, humiliation, loss of employment or other forms of significant harm.”
 
Based on the 2015 Identity Fraud Study conducted by Javelin Strategy and Research, two-thirds of individuals who were impacted by a data breach become victims of identity theft or fraud. The research group defines identity fraud as the “unauthorized use of another person’s personal information to achieve illicit financial gain”. Examples of identity fraud include using a stolen payment card account to opening new accounts, making a fraudulent purchase or to taking control of existing accounts.
 
2. Help Organizations Improve Data Security
According to the Global Internet Report 2016 (PDF) by the Internet Society, mandatory data breach reporting increases transparency about data breaches – what are likely targets, what data is taken, how the breaches are carried out, what cyber security works and what doesn’t.
 
“Sharing information responsibly has a number of benefits – it could help organisations globally improve their data security, help policymakers improve policies and regulators pursue attackers, and help the data security industry produce better solutions,” Internet Society said. “All this can help protect the data ecosystem as a whole.”
 
3. Motivate Organizations to Track and Analyze Data Breaches
According to the Director for Innovation, Science and Economic Development Canada, the requirement to maintain a record for every data breach for the period of two years will “incentivize organizations to track and analyze the impact of all data security incidents”.
 
According to EY’s 19th Global Information Security Survey (PDF), 62% of organizations wouldn’t increase their cyber security spending after experiencing a breach that didn’t appear to do any harm.
 
“Cyber criminals often make ‘test attacks,’ lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to,” EY said. “Organizations should assume that harm has been done every time there is an attack, and if they have not found it, they should consider that they have not found it yet.”
0 Comments

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2025
    February 2025
    January 2025
    November 2024
    October 2024
    September 2024
    July 2024
    June 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    AI Security
    Artificial Intelligence
    ATP
    Awareness Training
    Blockchain
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cybercrime
    Cyber Espionage
    Cyber Insurance
    Cyber Security
    Cybersecurity
    Cybersecurity Audit
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    Data Privacy
    DDoS
    Email Security
    Endpoint Protection
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    Incident Management
    Insider Threat
    IoT
    Machine Learning
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third Party Risk
    Third-Party Risk
    VCISO
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
SME CyberShield
​Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2025 Driz Group Inc. All rights reserved.
Photo from GotCredit