In this article we are going to define personal information, why it’s so important, how valuable to hackers, how organizations have been misusing personal information and how they will need to manage it after the introduction of Quebec’s Bill 64.
Your personal information is nothing less than your identity. It makes you unique and serves to differentiate you. It is specific to each individual and includes any information relating to a particular person that makes it possible to identify them directly or indirectly. Quebec's Bill 64 broadened the definition by making any information about an individual automatically protected by the legislative provisions.
Any piece of information that can be used to identify an individual will be considered personal information. This includes an individual’s name, address, or date of birth. It also includes more sensitive personal information, like a social insurance number, banking data and medical information as well as political views, religion and sexual preferences.
Similar to how you lock your car doors or how you lock your smartphone, citizens need to view their personal information as extremely valuable and take the same precaution by making sure it doesn't get in the wrong hands and misused. We all know that nowadays, cyber criminals have the tools to exploit your data, sell your data on the dark web and hack your systems by using that same data, sometimes causing irreversible damage.
Lately, we unfortunately have come to realize that trusting recognized institutions with our personal data didn’t necessarily mean it would be safe. Companies have not been prioritizing the safety surrounding personal data and that has become a serious problem by enabling a new easy and lucrative line of business for cybercriminals.
Cyber criminals value and rely on personal data because by stealing it, they can restrict the company from accessing it and are therefore in a position to demand a ransom in exchange for regaining control. They can also leverage the data to conduct additional cyberattacks or threaten to do so.
Data is the lifeblood of company operations and revenue. Cyber criminals encrypt company data with the aim that companies will have to pay to regain access to that precious data and preserve their reputation in the process. Hackers are smart, they know downtime is VERY costly so they rely on the fact that by disrupting business continuity, the company will have no other choice but to pay to mitigate the damages and go back to business as soon as possible.
This is how cyber criminals make their money. However, it wouldn’t be as lucrative if people and companies proactively protected personal information.
The introduction of Quebec’s Bill 64 comes as no surprise. The lack of privacy initiatives by companies, inadequate training for employees, and even not following the policies and practices, put a lot of people at risk of harm.
One story you may have heard is about Canada’s largest financial breach of the popular bank, Desjardins. The data breach involved 9.7 million people – active and inactive users. The personal information stolen included last names, dates of birth, social insurance numbers, residential addresses, telephone numbers, email addresses and transaction histories.
These stories always pop up in the news but this bank was taken to court, so there’s a lot more information about the story. (ITWorldCanada)
This year, the Superior Court of Quebec approved the $200.9 million settlement of class-action lawsuit against Desjardins.
Stories like this are happening every day. Companies are just not prioritizing the safety of personal information.
So, how could an incident like that been possibly prevented? By adopting a stricter legislation that would be enforced in the province.
Let’s review how our new provincial law will restore the lack of protection for personal information within the province and how citizens will be better protected under Quebec’s Bill 64 - especially in similar cases to Desjardins.
Quebec has recently adopted its most restrictive data privacy law to date, modernizing the whole data privacy landscape in the province. Bill 64 establishes a new legislative framework much more adapted to the reality of today’s cyberworld and the online vulnerabilities that companies are experiencing.
Every business processing personal information must comply to the newly enacted legislation, starting September 2022. As this legislation imposes major changes for businesses, there is a gradual implementation of the different provisions of Quebec’s Bill 64 that have to be fully implemented by September 2024, the vast majority being in 2023.
The purpose of the more stringent requirements is to force organizations to take privacy seriously and focus notably on the implementation of appropriate security safeguards. Otherwise, severe new penalties will be enforced on offending companies, which could have disastrous consequences.
By being compliant, organizations will prevent a lot of confidentiality incidents, or at least better position themselves to be able to mitigate the damages.
Those are just a few of the numerous requirements that businesses will need to meet compliance and not be held accountable for a lack of safety measures. Here is a list of all the requirements.
As of right now, many enterprises are not being proactive and things will undeniably have to change. With Quebec’s Bill 64, it won’t be an option to consider privacy as a crucial component of an organization practices. Businesses will have to meet compliance or face the consequences.
Have any questions about personal information? Contact us here.
If you’re a business, consider Assurance IT’s Bill 64 training. As the pioneer in the space, we offer a complete 8-hour training that prepares your Data Protection Officer for Quebec’s new data privacy law.
Access monthly conversations with IT & Tech Leaders about the hottest cyber security topics in the industry.