The implications of PIPEDA for small business

By Dom Chorafakis, CISSP

November 27, 2018

DISCLAIMER

Information contained in this post is intended as general information only. It is not, nor should be construed as legal advice and should not be relied upon as such. If you need legal advice, please contact an attorney directly.

Personal Information Protection and Electronic Documents Act (PIPEDA)

It has been almost a month since the new PIPEDA rules regarding mandatory breach reporting in Canada came into effect and many clients still have questions around what it means for their business. In this post we’ll explore some of the key highlights of the legislation and provide links back to the relevant sections of the Office of the Privacy Commissioner of Canada (OPC) website you can use to get more information.

Perhaps the most common question that comes up is whether the rules apply to a small business that only has one or two employees. The short answer is yes, they do. The rules do not provide for any exemptions based on number of employees or revenue. There are however certain types of organizations to which the rules may not apply as per the PIPEDA brief available at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/ [1]:

Unless they are engaging in commercial activities that are not central to their mandate and involve personal information, PIPEDA does not generally apply to:

  • not-for-profit and charity groups
  • political parties and associations” [1]

So if you own a business that is not a charity, political party or association, then the rules definitely apply to you. Note however that even those organizations may need to comply with the rules if “they are engaging in commercial activities that are not central to their mandate” [1]. For example, if an association sells its member list data for marketing purposes, PIPEDA would apply.

As mentioned in the brief, “PIPEDA applies to the collection, use or disclosure of personal information in the course of a commercial activity. A commercial activity is defined as any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists.” [1]

The personal information that is protected under PIPEDA includes anything that is recorded about an identifiable individual. According the brief, “This includes information in any form, such as:

  • age, name, ID numbers, income, ethnic origin, or blood type;
  • opinions, evaluations, comments, social status, or disciplinary actions; and
  • employee files, credit records, loan records, medical records, existence of a dispute between a consumer and a merchant, intentions (for example, to acquire goods or services, or change jobs).” [1]

The Act defines 10 fair information principles that businesses must follow with regards to personal information:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure, and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

There are a number of clauses in the Act (which is available online at http://laws-lois.justice.gc.ca/eng/acts/P-8.6/FullText.html [2]) that are relevant from a cybersecurity perspective. For example, the Act states that “Organizations shall implement policies and practices to give effect to the principles, including

(a) implementing procedures to protect personal information;

(b) establishing procedures to receive and respond to complaints and inquiries;

(c) training staff and communicating to staff information about the organization’s policies and practices; and

(d) developing information to explain the organization’s policies and procedures.” [2]

Furthermore, the Act states that “The methods of protection should include

(a) physical measures, for example, locked filing cabinets and restricted access to offices;

(b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and

(c) technological measures, for example, the use of passwords and encryption.

Not only does the act require businesses to use appropriate administrative and technological safeguards to protect personal information, it also stipulates that any breaches of these safeguards that expose this personal information must be reported to the OPC. Organizations who fail to report such a breach may be liable for a fine of up to $100,000. According to the Act, “An organization shall report to the Commissioner any breach of security safeguards involving personal information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.

[…] significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.” [2].

The OPC provides a privacy toolkit for business at https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/guide_org/ to help comply with the Act and its principles.

Cybersecurity Essentials

By Dom Chorafakis, CISSP

June 21, 2017

The cyber threat landscape is constantly changing as criminal hackers look for new and creative ways to profit from online crime. While there is no silver bullet that can guarantee protection against breaches or other forms of attack, keeping up to date with the latest threats and vulnerabilities is an important part of any security strategy.

Cryptojacking

With the rise in popularity of digital currencies like Bitccoin and Etherium, cybercriminals have found new opportunities in cryptomining as a revenue stream. The unauthorised use of computer resources to mine cryptocurrency known as cryptojacking has now exceeded ransomware as the largest online threat. There are two aspects to this that are important to take into account from a security perspective: website compromises and malvertising.

Hackers attempt to install cryptomining software on victims’ computers by installing malicious code on websites they are able to compromise. Web servers have always been vulnerable to hackers because of their very nature, but the potential for profit from illicit cryptomining makes them more interesting targets than ever before. System administrators need to ensure that servers are adequately protected by making sure the operating system and software is up to date, accounts are secure and use strong passwords, endpoint security mechanisms like anti-virus is installed, servers are protected using Intrusion Prevention technology, and that measures are in place to detect and prevent unauthorised content changes.

Malvertising

In addition to compromising legitimate websites, hackers are creating fraudulent sites that look legitimate, directing users to these sites using fake online ads displayed on popular websites, a practice known as malvertising. This practice is not new, but a significant spike in cryptojacking related malvertising was recently observed by a network of Intrusion Prevention systems as reported here.

People surfing the internet should assume that at some point they will come across either a legitimate site that has been compromised, or a fraudulent site set up specifically to infect vulnerable systems. To protect themselves, users should keep their Operating System and all software they use up to date, make sure good anti-virus is installed and up to date, use safe-browsing plugins from their anti-virus vendor and use an ad-blocker to block online ads.

Email compromise

While there has been a significant increase in these new threats thanks to the potential for quick profit, email continues to be by far the predominant attack vector.  From account compromise and phishing attacks to malicious attachments,  email based attacks are still the most common method used by hackers to infect vulnerable systems with ransomware, cryptojacking software, or trojans used to carry out financial fraud and other attacks. While technologies like anti-spam and anti-virus can help, user education is one of the most effective tools to help minimise risk in this area. Users need to be aware of the types of threats and attacks, how to identify them, and what steps they must take in the event of a suspected compromise.

The long game

Staying up to date with the latest threats and cyberattacks is important, but is only one element of a good cyber security strategy. Defending against hackers and cyber criminals is not a onetime activity, it needs to be an ongoing process that is actively managed and updated to reflect the changes to your information, its ecosystem and evolving threats. A good strategy includes the following five elements.

1. Identify your assets

It’s impossible to build a solid defence if you don’t know exactly what you are defending. During this stage you need to identify all of the data, applications and hardware that need to be protected.

2. Identify threats and risks

Once you have a list of everything that needs to be protected, it’s time to analyse the risks and threats to each asset. The threats to your company website are different than the threats to your customer list or payroll information, so different countermeasures are needed to protect the confidentiality, integrity and availability of the systems and the information they process.

3. Apply security controls
Once you have identified and prioritized assets and threats, it is time to select and deploy the safeguards needed to protect your organization. This may seem daunting but remember that you don’t need to solve everything at once, you can start by taking steps to address the biggest risks to your most valuable or sensitive assets and work down the list as time and budget permits.

4. Detect and Respond
Despite best efforts breaches and other security incidents can and will occur. The ability to detect and respond to them is as important as the effort to prevent them in the first place. There are a number of steps that can be taken in this area ranging from technical solutions such as managed security services and Intrusion Prevention, to policies and procedures such as having a formal Incident Response Plan.

5. Review and adjust
Lastly, it is important to keep in mind that a cyber security strategy is not static, it needs to be reviewed and adjusted to make sure it is always up to date and your important assets are protected. How often it needs to be reviewed depends on many factors including the threat level, sensitivity of information, as well as legal and regulatory requirements. At a minimum the strategy should be reviewed at least once a year, every time there is a significant IT change and every time there is a security incident.

Where to go from here

There are many free resources that can help individuals and businesses with cyber security. In Canada the government has launched a Get Cyber Safe initiative with the mission “to educate Canadians about Internet security and the simple steps they can take to protect themselves online”. For more information you can visit the Get Cyber Safe website and get started on your own cyber safety strategy.

 

 

 

RSS Cisco Talos Blog

  • As Cryptocurrency Crash Continues, Will Mining Threat Follow? December 18, 2018
    Post authored by Nick Biasini.Executive SummaryAs 2018 draws to a close, one technology has definitively left its mark on the year: cryptocurrencies. Digital currencies started the year out strong after a meteoric rise toward the end of 2017. Since then, it's safe to say that cryptocurrencies have had a massive impact globally, especially on the […]
  • Connecting the dots between recently active cryptominers December 18, 2018
    Post authored by David Liebenberg and Andrew Williams.Executive SummaryThrough Cisco Talos' investigation of illicit cryptocurrency mining campaigns in the past year, we began to notice that many of these campaigns shared remarkably similar TTPs, which we at first mistakenly interpreted as being attributed to a single actor. However, closer analysis revealed that a spate of […]
  • Beers with Talos EP 43: Espionage, Encryption, and CISO Square One December 17, 2018
    Beers with Talos (BWT) Podcast Ep. #43 is now available. Download this episode and subscribe to Beers with Talos:If iTunes and Google Play aren't your thing, click here.Ep. #43 show notes: Recorded Dec. 7, 2018.Several of us are under the weather, but the show must go on. We did our best, as always. After running through some […]
  • Threat Roundup for Dec. 7 to Dec. 14 December 14, 2018
    Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Dec. 07 and Dec. 14. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are […]
  • Bitcoin Bomb Scare Associated with Sextortion Scammers December 14, 2018
    This blog was written by Jaeson Schultz.Organizations across the country are on edge today after a flurry of phony bomb threats hit several public entities Thursday, such as universities, schools and news outlets, among others. The attackers distributed malicious emails claiming to have placed some type of explosive materials in the recipient's building. The emails […]
  • Cisco Coverage for Shamoon 2 & 3 December 14, 2018
    Update Dec. 14, 2018 10:30 CST: Added new Shamoon 3 IOCsShamoon is a type of destructive malware that has been previously associated with attacks against various organizations in the oil and gas industry that we've been tracking since 2012. A new variant of this threat, identified as Shamoon 2, has been used against several compromised […]
  • Vulnerability Spotlight: Netgate pfSense system_advanced_misc.php powerd_normal_mode Command Injection Vulnerability December 13, 2018
    Brandon Stultz of Cisco Talos discovered these vulnerabilities.Executive summaryToday, Cisco Talos is disclosing a command injection vulnerability in Netgate pfSense system_advanced_misc.php powerd_normal_mode. pfSense is a free and open source firewall and router that also features unified threat management, load balancing, multi WAN, and more.In accordance with our coordinated disclosure policy, Cisco Talos worked with Netgate to […]
  • in(Secure) messaging apps — How side-channel attacks can compromise privacy in WhatsApp, Telegram, and Signal December 13, 2018
    This blog post is authored by Vitor Ventura.Executive summaryMessaging applications have been around since the inception of the internet. But recently, due to the increased awareness around mass surveillance in some countries, more users are installing end-to-end encrypted apps dubbed "secure instant messaging applications." These apps claim to encrypt users' messages and keep their content secure […]
  • Vulnerability Spotlight: Multiple remote code execution vulnerabilities in Atlantis Word Processor December 13, 2018
    A member of Cisco Talos discovered these vulnerabilities.Executive summaryToday, Cisco Talos is disclosing three remote code execution vulnerabilities in the Atlantis Word Processor. Atlantis Word Processor is a traditional word processor that provides a number of basic features for users, in line with what is in other similar types of software. This application is written […]
  • Threat Roundup for Oct. 26 to Nov. 2 December 13, 2018
    Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Oct. 26 and Nov. 02. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are […]

RSS Dark Reading

RSS CISO Online

  • How to set up multifactor authentication for Office 365 users December 19, 2018
    This Microsoft Office 365 security tip covers one of the best settings you can do, but might get you in the doghouse with your users: multifactor authentication (MFA). Face it, using passwords alone can be dangerous. If a single password is cracked, attackers could have their way in your system and you’d probably not be […]
  • 12 top SIEM tools rated and compared December 19, 2018
    Security information and event management (SIEM) is a blue-collar tool for network security professionals. There’s nothing remotely glamorous about auditing, reviewing and managing event logs, but it’s one of the more important aspects of building a secure enterprise network.To read this article in full, please click here(Insider Story)
  • Twitter bug may have been exploited by state-sponsored hackers December 18, 2018
    Twitter admitted to a bug in one of its support forum APIs that allowed cyber thugs to discover a Twitter user’s account phone number country code and if the account had been locked. It’s possible, Twitter said, that this might be tied to state-sponsored attacks. During our investigation, we noticed some unusual activity involving the […]
  • BrandPost: Securing the Industrial Internet of Things in OT Networks December 18, 2018
    In many organizations, traditional IT and critical Operational Technology (OT) networks are being merged to take advantage of the speed and efficiency of today’s digital marketplace. Typical OT networks are comprised of switches, monitors, sensors, valves, and manufacturing devices managed by an ICS system through remote terminal units (RTUs) and programmable logic controllers (PLCs) over […]
  • 13 data breach predictions for 2019 December 18, 2018
    Data breaches are inevitable at any organization. But what form will those breaches take? How will the attackers gain access? What will they steal or damage? What motivates them to attempt the attacks? CSO has gathered predictions from industry experts about where, how and why cyber criminals will attempt to break into networks and steal […]
  • Review: Continuous cybersecurity monitoring with CyCognito December 18, 2018
    Back in the early days of networking, a lot of effort went into hiring penetration testers who would come in and try to break security. They would then report on their findings, and, presumably, whatever flaws or vulnerabilities they discovered would get fixed before real attackers could come calling. Everybody did this, even the military, […]
  • Sextortion group behind bomb threat spam campaign December 17, 2018
    The emailed bomb threats, which demanded up to $20,000 bitcoin payments from banks, courthouses, schools, universities, news outlets, and organizations for not detonating bombs — and later morphed into emailed threats to throw acid on victims — seems to have come from sextortion scammers.Cisco Talos researcher Jaeson Schultz discovered the phony bomb threat scare campaign […]
  • Fear and loathing defending ICS security at DoE's CyberForce Competition December 17, 2018
    "The HPC is down!"To read this article in full, please click here(Insider Story)
  • Embracing risk management elevates security pros to business leaders. Why do they still find it so difficult? December 17, 2018
    A few weeks ago, I spoke at the 2018 SecTor Conference. The ensuing Q&A on the concept of risk soon evolved into a discussion on whether “risk” has become a four-letter word. The kind we’re taught to avoid using in polite company.To read this article in full, please click here(Insider Story)
  • Best security software: How 25 cutting-edge tools tackle today's threats December 14, 2018
    Threats are constantly evolving and, just like everything else, tend to follow certain trends. Whenever a new type of threat is especially successful or profitable, many others of the same type will inevitably follow. The best defenses need to mirror those trends so users get the most robust protection against the newest wave of threats. […]

RSS Krebs On Security

  • A Chief Security Concern for Executive Teams December 18, 2018
    Virtually all companies like to say they take their customers' privacy and security seriously, make it a top priority, blah blah. But you'd be forgiven if you couldn't tell this by studying the executive leadership page of each company's Web site. That's because very few of the world's biggest companies list any security executives in […]
    BrianKrebs
  • Spammed Bomb Threat Hoax Demands Bitcoin December 13, 2018
    A new email extortion scam is making the rounds, threatening that someone has planted bombs within the recipient's building that will be detonated unless a hefty bitcoin ransom is paid by the end of the business day.
    BrianKrebs
  • Scanning for Flaws, Scoring for Security December 12, 2018
    Is it fair to judge an organization's information security posture simply by looking at its Internet-facing assets for weaknesses commonly sought after and exploited by attackers, such as outdated software or accidentally exposed data and devices? Fair or not, a number of nascent efforts are using just such an approach to derive security scores for […]
    BrianKrebs
  • Patch Tuesday, December 2018 Edition December 11, 2018
    Adobe and Microsoft each released updates today to tackle critical security weaknesses in their software. Microsoft's December patch batch is relatively light, addressing more than three dozen vulnerabilities in Windows and related applications. Adobe has issued security fixes for its Acrobat and PDF Reader products, and has a patch for yet another zero-day flaw in […]
    BrianKrebs
  • How Internet Savvy are Your Leaders? December 10, 2018
    Back in April 2015, I tweeted about receiving a letter via snail mail suggesting the search engine rankings for a domain registered in my name would suffer if I didn't pay a bill for some kind of dubious-looking service I'd never heard of. But it wasn't until the past week that it become clear how many […]
    BrianKrebs
  • Bomb Threat Hoaxer, DDos Boss Gets 3 Years December 8, 2018
    The alleged ringleader of a gang of cyber hooligans that made bomb threats against hundreds of schools and launched debilitating denial-of-service attacks against Web sites (including KrebsOnSecurity on multiple occasions) has been sentenced to three years in a U.K. prison, and faces the possibility of additional charges from U.S.-based law enforcement officials. 
    BrianKrebs
  • A Breach, or Just a Forced Password Reset? December 4, 2018
    Software giant Citrix Systems recently forced a password reset for many users of its Sharefile content collaboration service, warning it would be doing this on a regular basis in response to password-guessing attacks that target people who re-use passwords across multiple Web sites. Many Sharefile users interpreted this as a breach at Citrix and/or Sharefile, but […]
    BrianKrebs
  • Jared, Kay Jewelers Parent Fixes Data Leak December 3, 2018
    The parent firm of bling retailers Jared and Kay Jewelers has fixed a bug in the Web sites of both companies that exposed the order information for all of their online customers.
    BrianKrebs
  • What the Marriott Breach Says About Security December 1, 2018
    We don't yet know the root cause(s) that forced Marriott this week to disclose a four-year-long breach involving the personal and financial information of 500 million guests of its Starwood hotel properties. But anytime we see such a colossal intrusion go undetected for so long, the ultimate cause is usually a failure to adopt the […]
    BrianKrebs
  • Marriott: Data on 500 Million Guests Stolen in 4-Year Breach November 30, 2018
    Hospitality giant Marriott today disclosed a massive data breach exposing the personal and financial information on as many as a half billion customers who made reservations at any of its Starwood properties over the past four years.
    BrianKrebs

RSS The Hacker News

  • Mayday! NASA Warns Employees of Personal Information Breach December 19, 2018
    Another day, another data breach. This time it's the United States National Aeronautics and Space Administration (NASA) NASA today confirmed a data breach that may have compromised personal information of some of its current and former employees after at least one of the agency's servers was hacked. In an internal memo sent to all employees […]
  • Become a Certified Hacker With This Hands-On Training Course December 18, 2018
    It seems as though not a day goes by without news spreading over another major cyber attack. Hackers are becoming increasingly efficient at targeting everything from small startups to Fortune 500 companies and even entire government agencies, and as the world moves further away from traditional types of warfare and more toward engaging in all-out […]
  • Twitter Discloses Suspected State-Sponsored Attack After Minor Data Breach December 18, 2018
    Twitter has been hit with a minor data breach incident that the social networking site believes linked to a suspected state-sponsored attack. In a blog post published on Monday, Twitter revealed that while investigating a vulnerability affecting one of its support forms, the company discovered evidence of the bug being misused to access and steal […]
  • New Malware Takes Commands From Memes Posted On Twitter December 18, 2018
    Security researchers have discovered yet another example of how cybercriminals disguise their malware activities as regular traffic by using legitimate cloud-based services. Trend Micro researchers have uncovered a new piece of malware that retrieves commands from memes posted on a Twitter account controlled by the attackers. Most malware relies on communication with their
  • Critical SQLite Flaw Leaves Millions of Apps Vulnerable to Hackers December 15, 2018
    Cybersecurity researchers have discovered a critical vulnerability in widely used SQLite database software that exposes billions of deployments to hackers. Dubbed as 'Magellan' by Tencent's Blade security team, the newly discovered SQLite flaw could allow remote attackers to execute arbitrary or malicious code on affected devices, leak program memory or crash applications. SQLite is a
  • New Facebook Bug Exposed 6.8 Million Users Photos to Third-Party Apps December 14, 2018
    Facebook's latest screw-up — a programming bug in Facebook website accidentally gave 1,500 third-party apps access to the unposted Facebook photos of as many as 6.8 million users. Facebook today quietly announced that it discovered a new API bug in its photo-sharing system that let 876 developers access users' private photos which they never shared […]
  • New Shamoon Malware Variant Targets Italian Oil and Gas Company December 14, 2018
    Shamoon is back… one of the most destructive malware families that caused damage to Saudi Arabia's largest oil producer in 2012 and this time it has targeted energy sector organizations primarily operating in the Middle East. Earlier this week, Italian oil drilling company Saipem was attacked and sensitive files on about 10 percent of its […]
  • Fake Bomb Threat Emails Demanding Bitcoins Sparked Chaos Across US, Canada December 14, 2018
    "Pay $20,000 worth of bitcoin, or a bomb will detonate in your building" A massive number of businesses, schools, government offices and individuals across the US, New Zealand and Canada on Thursday received bomb threats via emails that caused nationwide chaos, forcing widespread evacuations and police response. The bomb threat emails were apparently sent by […]
  • Adobe's Year-End Update Patches 87 Flaws in Acrobat Software December 12, 2018
    Adobe is closing out this year with its December Patch Tuesday update to address a massive number of security vulnerabilities for just its two PDF apps—more than double the number of what Microsoft patched this month for its several products. Adobe today released patches for 87 vulnerabilities affecting its Acrobat and Reader software products for […]
  • Microsoft Issues Patch for Windows Zero-Day Flaw Under Active Attack December 12, 2018
    Microsoft today, on its year-end December Patch Tuesday, released security updates to patch a total 39 vulnerabilities its Windows operating systems and applications—10 of which are rated as critical and other important in severity. One of the security vulnerabilities patched by the tech giant this month is listed as publicly known at the time of […]