Compliance with Act 25: Monitoring your network is key

Compliance with Act 25: Monitoring your network is key

The new Act 25 (Law 64) on the protection of personal information comes into force on September 22, 2022. As a reminder, this law requires all public, private and NPO organizations to take measures to protect the personal information of Quebecers.

Act 25 requires that all privacy incidents (security breaches involving personal information) be reported to the Commission of Access to Information. Penalties of up to $25 million are anticipated as of September 2023.

Act 25 requires you to report privacy incidents. However, in order for you to report an incident, you must be able to detect it. This is the most difficult part of the process of complying with this law.

In this article, we will outline where you should focus your energies, in addition to defining your security policies and appointing a privacy officer.

What is a privacy incident?

According to Act 25, a "privacy incident" is any of the following events:

1- unauthorized access to personal information;

2- the unauthorized use of personal information

3- the unauthorized disclosure of personal information

4- the loss of personal information or any other breach of the protection of personal information.

Incidents you need to pay the most attention to

Two (2) cases of privacy incidents will cause the most nightmares for organizations because not only can they be difficult to detect, but their consequences are major.

They can spell the end of an SME in terms of expected fines and incident management costs.

Theft of personal information by someone with authorized access to the network: this was the case of the massive theft of personal information by a Desjardins employee.

Data exfiltration by ransomware: this has become a common practice because it allows hackers to have a second means of leverage if the victim organization has recent backups that can be restored. In case the victim organization refuses to pay a ransom, the hackers publish the data as was the case with BRP (nearly 30 gigabytes of data published).

Your goal: minimize the risk of privacy incidents

Your goal should be to minimize the risk of privacy incidents because their consequences can be dramatic (criminal liability, fines of up to $25 million, etc.).

To do this, you must:

Identify all systems on your network that collect, store and process personal information and adequately protect them
Educate your users
Deploy intrusion detection (IDS/IPS/NDR) and endpoint protection (antivirus, EDR) technologies
Monitor your network security 24/7 to quickly identify malicious activity targeting you and block it from becoming an incident

Security monitoring is key

Without monitoring your network security via appropriate technologies, you will not be able to detect incidents that target you. Focusing on monitoring your network is the best option to protect yourself from penalties and fines.

This also protects you from third party reporting of your incidents to the government, which is the most feared scenario for an organization. For example, a hacker who exfiltrates your data (via ransomware or intrusion) may report the incident to the Quebec government if you refuse to pay a ransom. In such a case, you will have a hard time explaining to the government that you have taken all the necessary steps to protect the personal information you hold. Some organizations will prefer to pay the ransom to the hackers to avoid notifying the government, which is a very bad idea because the hacker will never let you go.

Prepare for the worst and have an incident response plan

Cyber attacks will continue to explode and to avoid any unpleasant surprises, you need to prepare for the worst. To do this, create an incident response plan that clearly states who does what in the event of a privacy incident. You should then test your plan at least once a year to make sure it will work if needed.

If you don't have the expertise, enlist the help of a cybersecurity firm that specializes in incident response.

How can Streamscan help you?

Cyber attacks are exploding all the time. Without continuous security monitoring, you have no visibility into what attacks are targeting you. You can't protect yourself from what you can't see.

Let us put our eyes on your network. Join our MDR managed monitoring platform powered by our CDS cyber threat detection technology and keep yourself safe from cyberattacks.