Does my business need a Firewall?
Why does a Personal Identifiable Information (PII), Confidential Information (CI) or Payment Card Industry Data Security Standard (PCI) compliant business absolutely and unequivocally need a firewall.
If your systems connect directly to the Internet and manage or access PII, PHI, CI or PCI data locally, on the Cloud or via Internet web portals without protection, you dramatically increase your risk of being breached.
As a smaller organization, most business owners believe their smaller footprint are invisible to or not targeted by malicious intruders, and believe they are a lower risk of being attacked — however, this is quite the contrary. Hackers don’t target your business specifically, they release automated Bot armies that continuously scour the Internet looking for unprotected devices. They look for vulnerabilities in the way devices are configured—things like factory set passwords, weak encryption, non-updated firmware, etc. Once a weakness is found, they exploit this by collecting user names, passwords, access codes, bank information, SINs, credit card information and other data and send it back to the bad guys, who collect the stolen data for 6-9 months on average before using the stolen information. By the time the breach is spotted, you may have lost thousands or client data records. The average cost of a breach for a small business in the US is $36,000 and huge bruise to business’s professional reputation. Data breaches continue to go up every year, and even though you hear about the big ones (Target, Home Depot, Michael’s, CVS/Walgreens, etc.), most breaches are small businesses like yours.
As Canadians, two separate federal privacy laws protect our privacy. These laws govern the information that businesses can collect on other Canadians, as well as how organizations must manage and protect that data.
As of January 1, 2004, PIPEDA applies to every organization that collects, uses or discloses personal information during commercial activities. However, the federal government may offer an exemption for organizations and/or activities in provinces deemed to have adopted substantially similar privacy legislation (more on this later).
What is the ‘Personal Information Protection and Electronic Documents Act’?
The Personal Information Protection and Electronic Documents Act is a Canadian law that relates to data privacy. PIPEDA governs how private and public sector organizations collect, use and disclose personal information in the course of commercial business.
PIPEDA stipulates that Personally Identifiable Information (or PII) must be:
• collected with consent and for a reasonable purpose
• used and disclosed for the limited purpose for which it was collected
• accessible for inspection and correction
• stored securely
PIPEDA, in plain English, states that once an organization collects data, regardless of the province, industry, or the type, that the organization is fully accountable and responsible for the protection of said data.
Is my organization required to keep our data in Canada?
PIPEDA, at the federal level, does not require all Canadian organizations to keep data in Canada. However, depending on which province your business is in, if your business operates in the private or public sector and which industry your business works in, you could potentially be required to keep data within Canadian borders.
For example, a public sector commercial medical research company in Nova Scotia will almost certainly be required to keep Personally Identifiable Information (PII) data in Canada (under the NS Personal Information International Disclosure Act), while a real estate agent in Manitoba would be free to store their data across borders.
Regardless of where your data might be stored, at the end of the day, each federal and provincial privacy act is very clear. Once an organization collects sensitive data, that organization is then 100% responsible for the protection and security of that data, and it is up to each individual organization to fully understand the rules.
What specific data is protected under PIPEDA?
Under PIPEDA, the following is considered sensitive or Personally Identifiable Information (PII) and is explicitly protected under the law:
• Age, name, ID numbers, income, ethnic origin, or blood type
• Opinions, evaluations, comments, social status, or disciplinary actions
• Employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs)
Are the privacy laws the same in every province?
PIPEDA is a federal act; however, the federal government may exempt organizations and/or activities in specific provinces deemed to have adopted substantially similar privacy legislation.
For example, the province of Nova Scotia has ruled that
“Public bodies ensure that personal information in its custody or under its control … is stored only in Canada and accessed only in Canada.”
Other Federal Regulation bodies also request that certain types of data remain protected and within Canadian border.
• The Personal Information Protection and Electronic Documents Act (PIPEDA)
• Ontario’s Personal Health Information Protection Act, with respect to health information custodians.
• Canada Revenue Agency – Keeping Records