In an earlier post, we discussed the report of the Office of the Privacy Commissioner of Canada entitled Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities (the “Report”). The following are some takeaways for retailers from the Report.
While retailers are required to comply with laws and regulations across varying jurisdictions, the Report suggests that a mechanical approach consisting of ‘‘blindly pursuing compliance’’ or a “check-the-box” compliance model based on government regulations does not necessarily mean than the organization is secure. According to the Report, effective compliance does not mean that an organization has implemented the reasonable measures or industry standards with respect to cybersecurity risk management. The best defence is implementing a broad set of operational and technical best practices that helps protect business and customer personal data.
The following are some guidelines from the Report that may assist retailers in developing their overall compliance program, as well as help protect data containing personal information and limit privacy liability:
- Consider appointing a Chief Information Security Officer or someone designated to ensuring security of the company’s data.
- Develop a business continuity management plan.
- Develop a strong security posture that protects against cyber-attacks, such as, point-of-sale intrusions, denial of service attacks, or web applications attacks.
- Create a data stewardship plan to deal with consumer data. As a part of this plan, ensure that consumer data is only kept as long as it is reasonably required and destroyed or deleted once the data is no longer needed.
- Train employees to ensure familiarity and compliance with all policies and practices.
In addition to these guidelines, we suggest that it is important for Retailers to develop a strong incident response plan. Elements of this plan may include:
- Developing a breach protocol and cyber security system that is amended periodically based on the results of a regularly scheduled penetration testing of its systems.
- Incorporating a notification procedure in the breach protocol in order to report breaches to the applicable Privacy Commissioner. Even in jurisdictions where such notification is not strictly required by law, it may be advisable to notify the Privacy Commissioner (or affected individuals) of data breaches where such notification to Privacy Commissioners or individuals would help mitigate the harm arising from the breach.
- Ensuring that all contracts with third parties, such as suppliers, distributors, business partners and other service providers, include notification provisions that require the third party contractor to immediately inform the organization of any breach or suspected breach. Inform third parties of the breach protocol once it is developed.
While these guidelines may assist retailers develop a program for compliance with the legislation and regulations, effective compliance and cyber security will require proper implementation of these guidelines and processes that recognize the significance of these measures. Sound privacy practices and cyber security can protect your brand, increase consumer trust and decrease legal risks.
For a full analysis on why mere compliance with privacy requirements may no longer be enough, please click here.