There is no shortage of examples of companies that have stored sensitive, personal information without adequately protecting it. Just think of the case of Desjardins, whose 4.2 million customers were affected by data theft.
The images below illustrates on the one hand the gravity of data losses associated with internal theft, and on the other hand the fact that the exfiltration of data corresponds to 68% of the attacks.
It is this situation that led the Quebec legislation to adopt Law 25 (aka Bill 64), in order to force companies, using extremely dissuasive penalties, to better protect the personal information of citizens.
It is important to remember that the fines could reach 25 million dollars, or 4% of the global sales of the previous financial year, whichever amount is higher. These amounts are doubled in the case of a repeat offence.
The consequences of a breach on your business
Obviously, data breaches, and particularly those involving personal information, can have very serious repercussions on the individuals who are victims, but also on the company, if they are not detected or (better still ) blocked in a timely manner.
Therefore, the implementation of appropriate technological tools is of the utmost importance to detect them.
In this article, we will therefore examine how Microsoft can help you comply with the requirements of Law 25 in order to minimize the risk of sanctions by better protecting the data entrusted to you.
The gradual enforcement of Law 25 concerning the protection of personal information could lead you to believe that you have time before you need to comply with the new requirements.
But time is ticking.
Even if the administrative sanctions and monetary penalties will only apply starting in September 2023, the obligation to appoint a person in charge of the protection of personal information as well as that of declaring confidentiality incidents to the Commission d'accès à l'information (CAI) takes effect starting September 22, 2022.
In the event of a privacy incident involving personal information, the law requires companies to:
You still need to be able to detect these incidents!
Companies have until September 22, 2022 to appoint a privacy officer and implement their privacy incident response plan.
A privacy or confidentiality incident occurs when there is unauthorized access by law to personal information, its use or its communication, as well as its loss or any other form of attack on its protection.
Here are some examples of privacy incidents:
Because the law aims to improve data governance and privacy practices, it necessarily implies a significant technological aspect to be able to monitor and respond to privacy incidents.
For personal information to remain private, it must be secure.
This means that you must have a solid data management policy associated with adequate data protection.
We can agree that the ever-increasing amount of personal data collected by companies raises the question of the confidentiality of personal information and therefore that of regulatory compliance with Law 25.
It is also safe to say that with the industrial fabric of Quebec being made up mainly of SMBs, Microsoft 365 Business Premium should be the norm.
The image below illustrates Microsoft's approach.
Some features require Microsoft 365 E5. However, the Microsoft Purview Information Protection and Microsoft Purview Data loss prevention (DLP) technologies explained below are an integral part of Microsoft Business Premium.
The initial questions you should ask yourself are:
1. Do you know where your critical and sensitive data is and how it is being used?Microsoft Purview Information Protection helps discover, classify, protect, and manage sensitive information in documents and emails by applying labels. This allows you to control who has access to company information, by applying restrictions on transfer, copying or printing.
With Microsoft Purview Data loss prevention (DLP) for Exchange Online, SharePoint Online, and OneDrive for Business, businesses can automatically identify, monitor, and protect sensitive information in emails and files (including files stored in Microsoft Teams file repositories ). This helps prevent employees from sharing sensitive information such as credit card information and social insurance numbers.
You can implement cybersecurity practices without privacy protection, but you cannot implement privacy practices without cybersecurity.
And even if your data collection policies comply with the law, if you don't protect that data with adequate security measures, such as multi-factor authentication, advanced endpoint security and access management, you have a high risk of a data breach. And who would want to attract the attention of regulators like that?
Since you are using Microsoft M365 Business Premium or Microsoft E3, you already have Microsoft Purview Information Protection and Microsoft Purview Data loss prevention (DLP). You just need to configure them.
If you haven't started your Law 25 compliance process, you should get started right away and not wait to upgrade your security level.
You will thus be able to prove that you have put in place the appropriate measures to protect the personal information in your custody and that you have effective incident management.
Present's cybersecurity experts are at your disposal so that you can focus on the success of your business with peace of mind, while minimizing your risk of breaches.