[BreachExchange] Only 40 per cent of Canadian firms surveyed have data breach response procedures

[Audrey McNeil]

https://www.itworldcanada.com/article/only-40-per-cent-of-
canadian-firms-surveyed-have-data-breach-response-procedures/405833


Half of Canadian executives say they have low or no concerns about a
potential breach involving their own business, a new survey for the federal
privacy commissioner has found.

The survey of 1,014 Canadian senior decision-makers with responsibility and
knowledge of their company’s privacy and security practices was conducted
last fall. Asked to rate their level of concern about a possible data
breach, nearly one-quarter (23 per cent) of respondents said they are
extremely concerned., whereas 36 per cent said they were not concerned at
all. Overall, nearly half (48 per cent) were moderately concerned (scores
of three or higher on the seven-point scale) and half (50 per cent)
expressed low or no concern at all.

The responses alarmed privacy commissioner Daniel Therrien.

“The low level of concern amongst some businesses is surprising given the
significant number of major breaches we see occurring,” he said in a
statement. “The risk of a breach is an issue every business that collects
and uses personal information must be alert to. Breaches can have negative
consequences for affected individuals, but also for the organization,
including, for example, loss of consumer trust.”

Compared to a similar survey run by the office three years ago,  concern
over data breaches has actually decreased among Canadian businesses. Then
the proportion of executives not concerned about a possible breach was  44
per cent.

Only four in 10 firms said they have policies or procedures in place in the
event of a breach involving customer personal information—a number that
remains unchanged since 2015. Just over half of respondents said their
company does not have any breach response protocols or procedures in place
(eight per cent were uncertain whether or not their business has protocols).

However, approximately two-thirds of respondents (68 per cent) said their
company attributes high importance to protecting the personal information
of their customers.

The survey was commissioned by the Office of the Privacy Commissioner of
Canada to better understand the privacy awareness and practices of
businesses. The results can be considered accurate to within plus or minus
3.1 per cent, 19 times out of 20.

David Swan, the Alberta-based director of cyber intelligence for the Centre
for Strategic Cyberspace and Security Science, found the survey results
“disappointing … also rather frustrating. The last of awareness is
dangerous ” — but not unexpected. Canadian news media don’t cover cyber
security very well, he said, federal parties don’t have solid security
policies, provincial governments aren’t publicly vocal on the issue and
local police departments don’t have the resources to investigate data
breaches. “So Canadian business is operating in something of a vacuum,” he
concluded.

Some survey respondents may not have a lot of personal data of customers
and may see protecting the little they have as a relatively low priority,
he agreed. Still, Swan added, they ought to see themselves as targets.

“In Alberta there’s a lot of companies that support the energy sector, and
there are some really interesting small to medium sized businesses who have
technical specialties. Their intellectual property and their client list is
their lifeblood. And many of them don’t see themselves as targets, and
really they are. It’s terrifying.”

The survey also found that small businesses had lower levels of awareness
of their privacy responsibilities than larger organizations, with 43% of
small businesses indicating awareness versus 64 per cent of large
organizations (100+ employees).

Nearly three-quarters of respondents said their company stores the customer
information it collects on-site electronically, a change from previous
years, when storing information on paper was the top storage method. Paper
this time was 56 per cent  Other methods of storing customer information
include the use of portable devices, like laptops, USB stick, or tablets
(26 per cent), and off-site with a third-party (18 per cent).

About 94 per cent of the businesses surveyed use at least one security
method to protect the personal information of their customers, no change
since the 2015 survey. Similar to 2015, the most common measures employed
are passwords (78 per cent) and physical measures (77 per cent). A smaller
proportion of respondents said their company uses organizational controls
(60 per cent), technological measures (59 per cent), and system review
tests and security updates (55 per cent).

Consistent with 2015, approximately two-thirds of surveyed business
executives (68 per cent) said their company attributes high importance to
protecting the personal information of their customers. Nearly half or more
said they have a designated privacy officer (59 per cent), internal
policies for staff that address privacy obligations (50 per cent), and
procedures for dealing with customer complaints (51 per cent) or customer
requests to access their personal information (47 per cent). These results
are virtually unchanged since 2015. In addition, 37 per cent (up from 32
per cent in 2015) provide staff with regular privacy training and education.

Among companies saying they have a privacy policy (486 of respondents),
more than nine in 10 say it explains in plain language what personal
information is being collected and for what purpose it is being collected.
In addition, three-quarters of these companies say they have a privacy
policy that clearly explains which parties the collected personal
information will be shared with.

Still, among the companies with a privacy policy, only half (52 per cent)
explain the risk of harm in the event of a breach in their policy.

In an interview, Anne-Marie Hayden, the privacy commissioner’s director of
communications, was asked if a question that asks “are your worried about a
data breach,” provides useful information. An executive who might think,
for example, worrying about cyber security is the job of the IT department.
Or the exec may think he or she isn’t paid to worry.

Hadyen said the answer to that question should be looked at in context with
the question on whether the organization had procedures in place to handle
a breach. Over half said they had no procedure, she pointed out. She also
noted that respondents were senior decision-makers with responsibility and
knowledge of their company’s privacy and security practices.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180601/3f63081d/attachment.html>