Risk & Business Magazine Condotta, Merrett & Company Fall 2015 | Page 7

President of Commercial Lines for Intact Insurance’s Ontario and Atlantic divisions. Typical commercial policies do not cover these types of breaches. However, customers can easily add on this coverage, such as Intact Insurance’s cyber endorsement, to make sure they are protected. Most include access to educational resources to help companies prevent attacks, so customers receive value immediately. These products are typically administrated by an independent third-party, like IDT911, who are experts in the field. While the monetary expense of a privacy breach can be detrimental, small businesses that encounter breaches are more impacted by reputational damage than larger businesses. A report from Symantec, a security software company, states that 60 per cent of small businesses will go under within six months of a cyberattack. Canadian businesses now have a lot more responsibility when it comes to a privacy breach since the Personal Information Protection and Electronic Documents Act (PIPEDA) has been amended to include mandatory breach notification. Businesses will also have to keep a record of all data breaches and may need to report them to the Privacy Commissioner. A business that knowingly fails to report or record a breach may be fined up to $100,000. While not yet in force, these provisions will require businesses to notify affected individuals, as well as the Privacy Commissioner of Canada, about any breach of security safeguards involving personal information under the business’ control, and where the breach poses a “real risk of significant harm” to the individuals. Government institutions and other organizations will also need to be notified in certain circumstances, including if the business believes that the institution or other organization may be able to reduce or mitigate the risk of harm to the affected individuals. The new requirements for mandatory breach reporting will create real, measurable, costs for organizations that experience a breach. With so many risks facing small businesses, how can they protect themselves in the event of a breach, or prevent an attack in the first place? “Small businesses need to ensure they protect themselves from these types of attacks by using proactive and reactive methods,” says Nathalie Dufresne, Vice “Before a breach even happens, customers can visit IDT911’s customer portal to access training on breach issues such as compliance and privacy security, and download a customizable privacy breach incident response plan—essential to minimizing the impact of an attack,” says Nathalie. If a breach occurs, the insurance covers expenses such as assistance in notifying impacted individuals, computer forensic services to determine if a privacy breach has occurred and to assess the breach’s severity, public relations assistance to help restore the business’ reputation, as well as credit monitoring for customers affected by the breach. Intact Insurance’s cyber endorsement also includes business interruption coverage, so the business is protected if it can’t perform critical operations such as processing credit cards. No matter the product, cyber insurance is essential for any sized business. Additionally, the new legal requirements and the exposures that small business may face due to lack of resources or familiarity with this risk makes it even more important for them to ensure they are protected. TM FALL 2015 RISK & BUSINESS MAGAZINETM 7