Breach notification reporting can be complicated without proper skills, tools

A key question raised by pending changes to the Personal Information Protection and Electronic Documents Act (PIPEDA), which require organizations to notify Canada’s Privacy Commissioner in the event of a breach depending on its impact, is how to decide whether they are obligated to report.

And it although it’s a single question, it’s not an easy one for many organizations to answer, said Ali Arasteh, senior manager at FireEye. Reporting breaches under the Digital Privacy Act becomes complicated if a company doesn’t know when it was breached or how much data was touched by a bad actor. In some cases, they may not even know they’ve been hacked.

On average, it takes 147 days to discover a breach, according to FireEye’s Mandiant M-Trends research. Arasteh said Mandiant responds to 200 incidents a year, and many breaches in the U.S. result in notifications, he said. The new requirements in Canada will be useful in garnering more attention at the executive level for security and risk issues such as data breaches, and law enforcement agencies will benefit as the breach notification requirement will allow them to justify the resources they need to deal with the problem.

However, there is still a huge gap in many organizations, both from a technical and skills perspective, in terms of how to evaluate the impact and scope of a breach, said Arasteh. “The nature of security issues and breaches means it’s sometimes very difficult to decide when to notify third parties or not.” Organizations need to determine whether personal information was accessed and disclosed, and what harm that breach may cause.

He said that’s a tough call to make, as there are a number of factors that determine the impact of a breach and its scope. But if the hacker wasn’t detected until five months after the initial access, they have probably gained access to everything. Most hackers are able crack an enterprise’s Active Directory within three days, said Arasteh. “If an attacker has been around a couple of weeks, you can assume they accessed all critical information.”

It’s hard to find out what damage has been done, as it takes a great deal of time and resources, while a company’s board of directors wants to know the impact and scope immediately, he said. “Answering these questions takes time.” And unless you put in the effort, you don’t know what data has been accessed, and there is a chance you might not be able to figure it out if there’s no evidence left. “That adds to the complexity.”

Arasteh said it helps to look at the motivation behind the attack. “There are a number of actors you need to take into account.” Was it a government sponsored attack? A financial actor monetizing information? Someone looking to damage the company’s reputation? “Motivation is important.” In Canada, there’s been increase in attacks aimed at disruptive business operations, he said, as well as ransomware scenarios.

It goes without saying that organizations need to work at earlier detection of breaches. “The potential impact will be lower,” said Arasteh. “The earlier we can find the attacker in the lifecycle, the easier it will be to scope incident.” Many enterprises make significant investments in controlling the perimeter, but once an attacker gets past, the organization has no visibility or detection capabilities, he said. This lack of visibility means they can’t go back to look at traffic to understand what was happening a month ago or know what data was leaving the perimeter that shouldn’t have.

These investigative capabilities are also critical to determining the impact and scope and whether it needs reporting or disclosing per the Digital Privacy Act, said Arasteh, and organizations should look at having third parties on retainer who have the missing skills. “Typically organizations don’t have the maturity respond to a sophisticated attacker.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Gary Hilson
Gary Hilson
Gary Hilson is a Toronto-based freelance writer who has written thousands of words for print and pixel in publications across North America. His areas of interest and expertise include software, enterprise and networking technology, memory systems, green energy, sustainable transportation, and research and education. His articles have been published by EE Times, SolarEnergy.Net, Network Computing, InformationWeek, Computing Canada, Computer Dealer News, Toronto Business Times and the Ottawa Citizen, among others.

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now