Québec formally adopted last week an overhaul of its statute meant to regulate personal information handling by businesses, in the province. Bill 64 was an attempt to bring the Québec Loi sur la protection des renseignements personnels dans le secteur privé in line with more modern pieces of legislation used abroad, including the famed GDPR, in Europe.
The revised statute now includes more strenuous obligations for organizations handling such data, and includes potentially huge fines (we’re talking millions) for businesses which may be caught violating the law. Yes, I think we can safely say that the province of Québec now has a real piece of legislation to govern how organizations are supposed to protect personal information when collecting, using or communicating it.
Though the statute was formally adopted, one should note, however, that most provisions included in Bill 64 will come into force only in September 2023, thus giving business about 2 years to shape-up. During that time, the Québec watchdog (the “CAI”) will also seek to provide guidance by coming-up with rules and protocols that it expects businesses to apply and abide by.
A limited number of provisions will come into force in September 2022, including those related to the obligation for businesses to disclose security incidents that may have exposed personal information to loss of theft, including for example pursuant to hacking incidents. The Québec media reports that the government intends to curb a culture of negligence when it comes to adequately handling and protecting personal information. After almost 30 years of being governed by an obsolete statute as to personal data, Québec businesses certainly have work to do!
The U.S. started cranking-up the heat on cybercriminals responsible for recent important ransomware attacks on American businesses and organizations. This include offering a reward for millions of dollars to anyone who provides specific information as to the criminals behind those recent attacks.
The move is part of several initiatives by the U.S. to try and start getting a handle on the problem of ransomware, a problem which is fast reaching epidemic proportions. Who knows, large rewards like these may help motivate citizens and businesses to investigate recent attacks and, who knows, even track down those responsible for these cyberattacks. Can’t hurt!
In addition to those rewards, it seems the U.S. is also continuing to tighten banking regs (to squeeze those trying to cash cryptocurrency paid as ransom) and increase international collaboration.
It is hoped initiatives such as these may help obtain more information, in particular, as to recent sophisticated attacks which were, more than likely, sponsored by foreign States such as Russia, China and North Korea.
Faced with a seemingly endless series of cyberattacks through ransomware, some businesses are now turning to insurers to make sure they are in a position to pay eventual ransoms. Insurers indeed realized a while back that some companies would pay to insure against the risk of facing cyberextortion and having to pay to recover their own data. Once insured with such coverage, a business can essentially have the insurer pay the ransom that cybercriminals are requesting once the business falls victim to ransomware that encrypts its data.
Recently, the European insurer AXA decided to stop offering this type of coverage, in France, including because of certain comments from French authorities about the fact this type of coverage was essentially counterproductive and, as such, may be something that France would soon prohibit. Indeed, according to many (including the FBI), the existence of insurance coverage of this type in fact encourages the ransomware industry, because it increases the odds of managing to convince the typical victim of such a cyberattack to pay a ransom.
In what may be a clue that not offering this type of coverage does play into the hands of criminals, shortly after its announcement, AXA’s Web servers were the object of a DDoS attack from criminals, in what may be seen as retaliation. It seems criminals do want insurers to keep paying ransoms, which may be a reason to rethink allowing it, in the future, if you ask me.
Even though forbidding payments by insurers is not likely to stop ransomware, many are now calling for a global strategy that may allow us to collectively fight the problem, including by stopping to throw oil on the fire, so to speak. Sure insuring against this risk is convenient but is it the right thing to do in the grand scheme of things? The question stands.