Cybersecurity: Why is Law 25 an opportunity?


Cybersecurity: Why is Law 25 an opportunity?

« It goes without saying that the recent years have been turbulent in the realm of cybersecurity. Not a week passes without hearing in the news that a company has been targeted, leading to significant disruptions or even complete halts in operations. How many attacks go unnoticed by the media? Cybersecurity experts unanimously agree that this is just the tip of the iceberg. Business leaders should inquire with their security officers about the number of thwarted attempts per day. The result may be surprising for many. However, just one successful attack is enough to create chaos ».

Pierre Farley
Partner and CIO Eficio

Numerous examples internationally, including in Quebec, and not only within large enterprises. Attackers have also refined their approach. They no longer limit themselves to encrypting data in exchange for ransom, but now aim to extract as much sensitive data as possible to threaten companies with publication on the Dark web. Let’s mention BRP as a concrete example in recent months.

Companies are not the only ones nervous about their security posture; citizens are now also aware of the risks of their personal information being shared without their prior consent. They are now supported by Law 25, protecting their data. For this reason, companies must now consider this data as information entrusted to them rather than an asset they own.

According to a survey by Pew Research, citizens are predominantly concerned, at 79%, about their personal information circulating and how it is used. It doesn’t take a fortune teller to assume that the success or downfall of a company will depend on how it protects its data and how it acts in the event of a breach. Citizens will always have the option to leave, supported by Law 25 with the right to data portability.

Data security and cybersecurity must be part of the company’s strategy as an opportunity, not just an obligation. Companies that demonstrate their commitment and publicly display their approach in this regard can stand out. Not only is the protection of personal information mandatory under Law 25, but companies that do it strategically and integrate it into their business plan can distinguish themselves from those who do it out of obligation.

Do you know all the types of data you manage, their sensitivity, and the diversity in which they exist?

How do you protect data without being able to identify and understand their lifecycle within the company? The proliferation of data media doesn’t help. Different database instances, thousands of files accumulating over the years, emails, laptops, removable disks, SaaS cloud platforms, backups. So many places to control.

With Law 25 now in effect, it becomes an opportunity to better map sensitive data (personal information, trade secrets, financial data) as a whole, control the data circulating in your organization, protect them in case of breaches, and even improve your disaster recovery. By mastering the data lifecycle of the company, these initiatives can begin optimization projects for information processing, especially in a context where artificial intelligence is a given. Do you know about data valuation? In 2018, Statistics Canada estimated the value of data in Canada at $200 billion.

Maintaining current achievements and developing new business opportunities

No choice! Companies must implement Law 25 for the protection of personal information. Among the rules of Law 25, sharing information via third-party services involves strict controls. Organizations will want to ensure that their provider is squeaky clean regarding the protection of personal and sensitive data. Service providers have an interest in quickly putting their program in place to adopt a defensive strategy.

Beyond maintaining achievements, companies need to reflect on their business strategy regarding cybersecurity and the protection of personal information by taking a proactive approach. This can take various forms, such as adopting a security standard and even certification by a third party (SOC, CIS, NIST, ISO). Already, many companies are taking this path, seeing it as an investment that allows them to increase sales and carve out a place among the major players.

Companies that want to stand out locally and globally can no longer limit themselves to optimizing their operational processes, the quality of their products, and cost competitiveness. Internationally, United Nations data speaks for itself. 71% of countries have adopted a data protection and privacy law, and 9% are in the process of adopting one.

Corporate Governance

The obligations of Law 25 should not be seen as a task falling solely on a responsible officer for personal information protection or an information technology function. It is a commitment involving all executives and all business units of the organization. Law 25 introduces a concept of “relevance” of data, meaning only collecting data that the company truly needs and being able to explain why the data is essential.

In compliance with Law 25, for every investment in new functionality (application, SaaS, server, partner, merger & acquisition), the company must question to understand the personal information connotation data that will be required and consequently know the procedures that will follow. This requires every stakeholder to sit at the same table: the business unit, the responsible for personal information protection, cybersecurity, and business analyst. It is therefore an effort to understand the value of the investment and maximize it.

The executive committee of an organization must consider the implications of Law 25 and security breach risks. The VP IT is often responsible for exercising this executive responsibility. Sitting at the table with the person responsible for total data protection and cybersecurity, having the same level of authority, becomes a priority governance element. The executive committee will have a holistic view of strategies and ensure that decisions are made with knowledge. Executives must see the person responsible for data protection and cybersecurity as a business facilitator.

Data protection and cybersecurity officers must also change their approach, understand the business strategy, issues, and vision, listen to other executives, understand their needs, and guide towards a solution to a strategy rather than focusing on security issues. In partnership between executives, measure the value of an investment in relation to benefits and associated risks. The result will be a transparent and clear decision.

Law 25: an opportunity rather than a constraint

Implementing Law 25 is not a simple project. Of course, this complexity will depend on several factors specific to the size and type of data managed by the organization. However, there is a factor applicable to all companies that will make a difference: embark on this project as a business strategy. Your opportunities are multiple:

      1. Strengthen customer trust
      2. Improve business management
      3. Limit your risks and enhance personal information protection and your security posture
      4. Develop new markets

Despite the fact that this law was adopted in September 2021 and that the first obligations are spread over three major milestones: September 2022, September 2023, and September 2024, many companies have not yet followed suit. The obligations set for September 2023 are numerous and require planning. Above all, the obligations of Law 25 and cybersecurity, in general, should not be seen as milestones to be met, but as an ongoing strategic activity.”