Of the three scenarios below, which do you think are privacy breaches?
- A virus is sent via a fake promotional email to staff, which is accidentally opened and allows access to stored client files.
- An employee is walking to their car and a folder of files containing personal client information is blown away in a gust of wind and unable to be recovered.
- An employee accesses client files that they do not have authority to look at.
If you think they all are examples of privacy breaches, you’re correct. While many of us believe privacy breaches only stem from sophisticated attacks by elusive hackers, simply misplacing or losing documents is still considered a breach.
Privacy breaches affecting millions of people continue to make headlines across Canada and globally – from Facebook and Sony, to Canadian Tire, Loblaws, and even Statistics Canada.
In March, CBC reported, “The federal agency in charge of collecting, analyzing and securely storing personal data about Canadians lost hundreds of sensitive files during the 2016 census process.” The Access to Information findings detailed, “Some confidential documents were left on a subway or sent to the wrong home. Hundreds more were lost in a stolen car.” Other breaches included a gust of wind blowing away 16 pages of files, which included names, addresses and phone numbers.
On November 1, 2018, federal regulation will come into place, making it mandatory to report security breaches that pose a “real risk of significant harm” to the individuals impacted. Businesses will have the flexibility of communicating to those impacted in a way they deem to be appropriate (phone, email, advertising etc.) and while this must be done as soon as feasible, a specific timeline has not been set. Organizations could face fines of up to $100,000 if they don’t comply, not to mention the time and cost associated with the breach notification.
Reporting and subsequently dealing with a privacy breach can be costly for organizations. Engineering firms that have a primary professional liability policy under the OSPE program, already benefit from some privacy breach coverage components, such as loss of documents, breach of confidentiality, dishonesty of employees, and infringement of copyright.
Regardless of whether you have your primary policy through BMS or not, it’s important to understand that the possibility of suffering a privacy and cyber breach continues to rise. Engineers, along with most other professionals who hold any sort of personal client information, are implementing further safeguards including software encryption, antivirus protection and additional insurance.
Along with the primary professional liability insurance policy, there are two supplementary Cyber Security & Privacy Liability solutions made available to OSPE members:
- One is an extension to the primary PLI policy providing coverage specifically for the basic cyber risk component.
- The other is a more robust policy with a higher limit covering both the losses sustained by your client (3rd party) as well as your business (first party) and encompasses everything for a ransomware attack to business interruption and breach response services, including notification costs.
Whether you’re in independent contractor or business owner, it’s important you’re aware of regulatory changes and have the right protection in place.
If you have any questions, or want to discuss your individual circumstance, contact a BMS broker who will be able to provide further information and a competitive quote for comprehensive coverage.
This post was prepared by BMS Canada Risk Services Ltd.