Cybersecurity & Compliance Priorities For Canadian – US Business Operations

If your business operates across the Canadian – US border, then you need to make sure you’re up to date on the many compliance and cybersecurity standards you may be subject to.

The ever-evolving nature of the modern workplace has brought about many changes to the business world. Many are beneficial – the cloud offers more convenient access to data, new software streamlines tasks, and mobile technology allows professionals to take their work anywhere they need to.

However, with this increased level of convenience comes an increased level of risk. If it’s easier for you to access private client data, it’s potentially easier for cybercriminals to do so as well. That’s why more and more state, provincial, and federal governments are enacting different forms of legislation to protect consumers and their data.

Do you know how to stay compliant?

Compliance Is Complicated When You Cross The Border

It all depends on where you do business. On both sides of the border, there are federal or state/provincial compliance systems in place that could affect the way you’re expected to deal with consumer data.

While HIPAA has been around for years, dictating the secure and private use of electronic Protected Health Information, just this year, two states have officiated new legislation:

SHIELD, New York

Signed into law on July 15, 2019, this legislation will take effect on March 21, 2020. It is designed to make sure that organizations do their due diligence to protect the private data they access that belongs to residents of New York state. This means implementing a range of cybersecurity safeguards, and, in the event of a failure, facing severe noncompliance fines.

Private data covered by the SHIELD Act include:

    • Social security numbers
    • Credit or debit card numbers
    • Driver’s license numbers
    • Biometric information
    • Username/email addresses with passwords
    • Financial account numbers with or without security codes

CCPA, California

The California Consumer Privacy Act (CCPA) has been signed into law as of June last year and took effect in January 2020. This privacy act dictates consumer rights and company responsibilities in relation to collected consumer data.

The law, AB 375, will allow any California consumer to demand to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with. The law also allows consumers to sue companies if the privacy guidelines are violated. It’s important to note that consumers can take legal action, even if no breach has occurred.

And that’s just for operating in specific states. If you also do business over the northern border, you have to consider Canada’s compliance counterparts:

  • There is the Personal Information Protection and Electronic Documents Act (PIPEDA), a Canadian law that governs how private sector organizations collect, use and disclose personal information in the course of commercial business.
  • British Columbia has its own provincial version, which is actually more comprehensive, covering unincorporated associations, trade unions, trusts, political parties, and not-for-profits, as well as conventional commercial businesses.
  • There is also the Canadian Anti-Spam Legislation (CASL), a federal statute that affects the way you can market to Canadian prospects via electronic communication.

What Do You Need To Know About Compliance?

In 2018, the General Data Protection Regulation (GDPR) came into effect, setting a monumental precedent for the way businesses are expected to approach consumer privacy in the age of the Internet.

A benefit of the fact that SHIELD, the CCPA, and other similar systems are following GDPR is that you can learn directly from the experiences European and international businesses had in becoming compliant last year.

Instead of having to granularly develop your compliance practices from scratch (which can be expensive, in both time and money), you can model your processes after those that have been proven to be effective.

You Need To Know How You Are Affected.

This all comes down to data access and control.

Pre-GDPR, there are likely a number of unexamined and unevaluated venues for data access in your operations that could put you at risk of noncompliance in January.

Once they were required to double-check how their data was accessed and controlled, businesses in Europe found that there was a lack of proper control and access to data-enabled via legacy units. These are the types of gaps in your data control practices that need to be addressed.

By analyzing your operations top to bottom, you will likely identify ways that data can be accessed that few (or no one) was aware of because they weren’t regularly making use of them.

If you don’t already have policies for the following considerations, now is the time to start developing them:

  • Controls and Notifications
    1. Protect personal data using appropriate security.
    2. Notify authorities of personal data breaches.
    3. Obtain appropriate consents for processing data.
    4. Keep records detailing data processing.
  • Transparent Policies
    1. Provide clear notice of data collection.
    2. Outline processing purposes and use cases.
    3. Define data retention and deletion policies.

You Need To Budget For CCPA Sooner Rather Than Later.

Compliance is never free. It’s an unfortunate reality of the modern business world, that as much as the Internet and data collection (and sale) can benefit what you do, the downside is how expensive compliance can end up being.

But it’s the cost of doing business, simple as that.

As discussed in the first lesson above, you will need to devote time and resources to examine the way you control data. Once analyzed, you will need to implement changes to your operations and structure in order to be compliant.

All of this will cost you, at the very least in terms of working hours for the staff you have assigned to these tasks. However, if your analysis determines that you’ll need to implement new controls in the form of security technologies, that will cost too.

You Need To Know The Consequences Of Non-Compliance Now.

It’s important to note that, although CCPA & SHIELD are following GDPR and much of the discussion is around how they (and practices for compliance) are similar, there is a key way in which they differ. CCPA and SHIELD are undoubtedly more complex.

They have taken steps beyond the scope of GDPR, such as in dictating the tracking of the device and household information or offering consumers the option to opt-out of the sale of their personal information.

Most importantly for you? Penalties associated with non-compliance are steep. With CCPA, they are unlimited – even up to $7,500 per customer. Before the implementation of the NY Shield Act, you could have been subject to a $5,000 ($10 per instance) fine for failing to notify. It would end up being whichever figure was higher, up to a total of $150,000.

With the NY Shield Act, these fines are increased to $20 per incident with a maximum of $250,000. That’s not to mention that you could face a fine up to three years after an incident rather than two years.

Think for a minute about how many customers you deal with… budgeting for that kind of cost likely isn’t feasible. Compare it to the cost of becoming compliant, and you’ll likely see the wisdom in learning lesson #2 sooner rather than later.

All of this is to say, you need to make the effort now. Non-compliance is infinitely more troublesome and costly than taking the steps to become compliant over the next six months.

Need Expert Assistance With Compliance?

Need a hand assessing your compliance? You can partner with BlueHat Cyber to have your compliance practices double-checked and your cybersecurity supported by the right technology.

Not Sure Where To Start?