Quick Intelligence Blog

Privacy and security go hand in hand. Cyber security focuses on protecting the information from unauthorized access, while privacy focuses more on protecting the contents of the information and ensuring it isn’t accessed or shared inappropriately. Both businesses and individuals have an expectation of privacy when they trust another business with their data.

A new survey by the Canadian Internet Registration Authority (CIRA) says that nearly 70 per cent of Canadian organizations facing a ransomware attack last year paid the demands to avoid downtime, reputational damage and other costs. The interesting thing is that when they asked cyber security professionals if they supported legislation to make ransomware payments illegal, 64% said yes.

So, you are a small business owner, and are about to land your first big client. Everything is going well, but before they sign the contract, they hand you a cyber security questionnaire. Now the panic sets in. Does this sound familiar?

PCI compliance, or Payment Card Industry compliance, is a set of standards created to ensure that when business take credit card payments online, they do it in a secure manner, minimizing the risk of credit card theft. The PCI Council creates the rules (there are ~150 of them) which dictate everything from firewall configuration to security protection on devices used to store, process, or transmit credit card data.

The National Institute of Standards and Technology (NIST) was “founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories.” In 2013, then-president Obama tasked NIST to create a set of common-sense protection actions that SMBs could take to better protect themselves from Internet-based exposures.

Canada’s data privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA, governs how private Canadian companies are responsible for the collection, use and disclosure of personally identifiable information (PII) during the course of their regular business activities. PIPEDA fist came into law in 2000 and must be reviewed by parliament every 5 years. The last update to PIPEDA came into law on November 1, 2018, and for the first time, it included regulations for disclosing a cyber security breach.

The General Data Protection Regulation, or GDPR, is a law created by the European Union to protect its citizens’ privacy and information. It includes the concept of the “right to be forgotten”, meaning if an EU citizen doesn’t want you to have their information, they have the right to request that it be deleted entirely and expect proof when completed. If you do business in the EU or have EU citizens as customers, GDPR applies to you, take it seriously as significant fines for non-compliance can apply! Fines can be as high as 20,000,000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The California Consumer Privacy Act (CCPA) is a state statute designed to protect the personal information of California residents. Like the EU’s General Data Protection Regulation (GDPR), It gives residents the right to know about information being collected about them and why it’s being collected, the right to request information be deleted (with some exceptions), the right to opt-out of having their information sold, and the right to non-discrimination for exercising these rights. Only California residents have rights under the CCPA.

Has this happened to you before? Your business is about to land a big client. Everything is going well, but before they sign the deal, they want you to sign off on a Cyber Security Questionnaire. Not only that, but they have also asked you for a SOC Audit, and you don’t even know what it is.