As governments around the world continue to adapt to ever-advancing technologies in our digital world, addressing individual privacy concerning the collection of personal information and the use of artificial intelligence is evident. The Canadian government introduced Bill C-27 as its attempt to replace the outdated Personal Information Protection and Electronics Document Act (PIPEDA) in June 2022. The bill aims to enact the Consumer Privacy Protection Act (CPPA), the Personal Information and Data Protection Tribunal Act, and the Artificial Intelligence and Data Act, as well as making consequential and related amendments to other Acts.
The new Bill C-27 will provide regulatory oversight to protect individual privacy rights. In 2023, Canada proposed to strengthen data confidentiality in Bill C-27: Consumer Privacy Protection Act. Currently, PIPEDA carries penalties of up to $100,000 CAD per violation. The changes to the CPPA could significantly increase these fines.
While these changes are made to protect the data of individuals, companies still find it challenging to ensure the confidentiality of their data. Cybercrime is more profitable than ever before, and data theft and ransomware techniques are becoming increasingly sophisticated. Traditional security solutions are often insufficient to prevent a data breach. This blog post will delve into the main changes proposed by Bill C-27 and how organizations can update their policies and procedures to prepare for the new legislation.
Companies must implement a Privacy Management Program to comply with the proposed changes to Bill C-27. This means that organizations should implement policies, practices, and procedures related to the protection of personal information. For example, a robust IT security policy, that details handling of data, access controls, authorization and more will help organizations comply with this requirement. When putting in place these policies and procedures, it is essential to consider the level of sensitivity of personal information and the amount of personal information being handled. As part of a Privacy Management Program, all employees should also be trained on the proper handling and usage of personal data.
Access Control: Access management is one of the first steps to meeting compliance requirements for the new Bill C-27 changes. Controlling and limiting who has access to data is essential to minimizing the risk of a data breach. Only those who require access to data should be able to view and edit it. These controls should be reviewed regularly and updated based on job roles and responsibilities.
Multi-factor Authentication: Additionally, multi-factor authentication should be a requirement for all employees, especially those with access to personal information. Having multi-factor authentication as a requirement to access data adds another obstacle for cybercriminals attempting to steal information.
Data Encryption: Another step that companies should take to meet compliance and protect their data is encryption. Encrypting sensitive data both in transit and in storage can protect it from unauthorized access (from insider and outsider threats.) This can help ensure that even if data is intercepted in transit, it remains unreadable without the proper decryption keys.
Firewalls and Intrusion Detection Systems: Organizations should deploy firewalls and intrusion detection systems to monitor and control network traffic. Firewalls are responsible for identifying and blocking potentially malicious activities. Next-generation firewalls (NGFWs) can prevent known exploits and threats, as well as use artificial intelligence (AI) to prevent unknown threats.
DNS Protection: To enhance effectiveness against data exfiltration, DNS security can protect data from difficult-to-detect exfiltration techniques. Traditional security measures usually cannot detect DNS exfiltration. To efficiently detect data exfiltration hidden in network traffic, the most reliable method is end-to-end analysis of transactions going through the DNS. DNS protection will help businesses go a long way towards ensuring compliance with Bill C-27.
Patch Management and Monitoring: For all areas of security, it is essential that vulnerabilities and updates are always patched as soon as possible. Updating software with security patches can prevent them from being exploited by attackers. Additionally, organizations should conduct regular security audits and continuously monitor systems to detect any unusual activities or unauthorized access promptly. This includes monitoring logs, network traffic, and system activities.
The new changes proposed for Bill C-27 also include the requirement for explicit consent from individuals to collect, share, or disclose personal information. Additionally, it outlines requirements for companies to be transparent about what personal information is collected and how it is used and handled.
Employees must be trained in how to appropriately collect and handle personal information. Furthermore, information regarding what personal information is collected and the purpose of it must be readily available for customers to read.
It is important that companies prepare for Bill C-27 as it is suspected that it will be approved before 2025. The failure to meet compliance requirements for PIPEDA carried a maximum fine of $100,000 CAD. With the changes to Bill C-27, the maximum fine would be $10,000,000 or 3% of an organization’s global gross revenue in its previous financial year (whichever is higher). It is clear that governments globally have already begun to place higher importance on the protection of individuals’ personal information. With the United States’ CCPA and Europe’s GDPR setting a precedent, Canada will surely follow suit.