When the pandemic sent us to our homes and out of our offices, businesses became ever more reliant on remote operations. Employees needed to be able to seamlessly access the company network to ensure productivity was not impacted (at least not due to technological impediments). Client, vendor and supplier relationships had to be maintained by accessing video conferencing platforms where the security of sensitive information was controlled by third parties – often ones with which your business did not even have a contractual relationship.
Increased reliance on remote access to networks and cloud computing, has also led to increased cybersecurity threats for businesses. This is not just a threat on the local level, but also the provincial, national and even international level. Last week, the president of the International Committee of the Red Cross, Peter Maurer, warned that cyber attacks against hospitals and other critical civilian infrastructure is on the rise (see Toronto StarRed Cross chief: cyber attacks increasing on hospitals, August 26 2020).
A cyber attack on civilian infrastructure would have catastrophic consequences for the community. A cyber attack on a business that halted operations would have catastrophic consequences too – on that business’ reputation, in addition to its bottom line.
A strong Privacy Management Program is the strongest defence to a cyber attack. A business’ Privacy Management Program ensures compliance with privacy-related obligations, and privacy risks are identified and taken into account in developing the business model, and the products and services offered to clients. Minimizing privacy risks through the Privacy Management Program will mitigate the impact of any privacy breaches.
The Building Blocks of a strong Privacy Management Program include:
- Development, implementation and evaluation of privacy policies and procedures;
- Training of employees to ensure understanding of and compliance with the privacy policies and procedures;
- Data sharing agreements with third party service providers when personal information is transferred for processing;
- Safeguards in place to protect personal information collected, used and/or disclosed by the business;
- Access to personal information requests response system; and,
- Response system to complaints from individuals on the handling of their personal information.
If a business fell victim to a cyber attack, and an investigation was commenced by the overseeing privacy commissioner, it would be imperative for the business to be able to show that it had a strong Privacy Management Program in place.
The Lerners Privacy and Information Protection Group is able to assist in developing and implementing a business’ Privacy Management Program. Whether it is developing the entire program, or one component of it, the Lerners team can assist.