On November 1, 2018 the Government of Canada implemented significant changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). Much like the new regulations released by European Union General Data Protection Regulation (“GDPR”) in early 2018, the government is putting the power back in the hands of the individuals whose personal data is being collected and stored. Non-compliance of PIPEDA can result in fines of up to $100,000 per violation. If your organization has not already done so, it is time to consider your obligations and create a plan to comply. 


With the new regulations released by European Union General Data Protection Regulation (“GDPR”), the Government sought to harmonize the Canadian rules with the new GDPR data breach notification rules. Although PIPEDA has long held adequate personal information privacy protection, the Government took additional measures as it is considered this important for Canada-EU trade.  

Mandatory record-keeping for all breaches 

Much like the GDPR rules, Section 10.3 of PIPEDA requires organizations to keep and maintain a record of every breach involving personal information under their control. Organizations are also required to provide a report to the Commissioner with the requested records within a timely manner. Based on the report provided, the Commissioner may publish the information if it is in public interest and/or launch an investigation or audit based on the information in the breach file.  

The record-keeping requirement is an important compliance consideration and has the potential to create costs and risks for organizations. For example, there may be additional litigation claims in relation to breaches (including breaches that did not result in notifications to individuals), if the organization does not fully comply or report breaches.   

Record-keeping Requirements  

Organizations must maintain a record of every breach of security safeguards for a minimum of 24 months after the day the organization determines that the breach has occurred. The record keeping requirement is applicable to all breaches, not only those that give rise to a real risk of significant harm.  

In section 6.2 breach records must contain “any information that enables the Commissioner to verify compliance with [the breach notification and reporting provisions]” – meaning the Commissioner must be able to validate whether the organization notified and reported breaches as required by PIPEDA in each case. The regulation does not give organizations specific rules on how the records are archived but they must be able to provide the appropriate information on request.  

Data Breach Reports  

PIPEDA’s data breach obligation requires organizations to assess a number of factors in determining whether any breach of security safeguards have been compromised. It’s up to the organizations to consider the sensitivity of the information involved, the probability that the information will be misused and the potential for “bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on a credit record and damage to or loss of property” when assessing risks. 

Data Breach Reports to the Commissioner 

If the Commissioner has requested a report, the regulation lays out what your organizations needs to provide to comply. The report must be made in writing and sent by any secure means of communication. The requirements are as follows:  

  • The circumstances of the breach and the cause. 
  • The date or period of time when the breach occurred. If the time is not known, the approximate period must be provided.  
  • The compromised personal information and extent of the breach.  
  • The number of individuals affected by the breach. If the number is unknown, the approximate number must be provided.  
  • Clearly laid out steps that the organization has taken to reduce risk or mitigate harm to individuals that could result from the breach. 
  • What steps the organization has taken to notify affected individuals? 
  • The name and contact information of a person in the organizations who will answer the Commissioner’s questions about the breach.   

Data Breach Reports to the Individual  

In section 3 and section 5 of the regulation, organizations must notify the individual who has had their personal data compromised. Unlike the GDPR, PIPEDA provides a lot of flexibility for organizations to decide based on the type of breach to indirectly or direct notify the individual.  

Indirect Notifications   

Indirect notification must be given “by public communication or similar measure that could reasonably be expected to reach the affected individuals.” In section 5, the regulation provides guidance on when should organizations utilize the indirect notification:  

  • Giving of direct notification would be likely to cause further harm to the affected individual. 
  • Direct notification would be likely to cause undue hardship for the organization. 
  • The organization does not have contact information for the affected individual. 

Direct Notifications   

Section 3 details that the notifications to individuals include sufficient information to allow the individuals to understand the significance to them of the breach, and to take steps, if possible, to reduce the risk of harm. PIPEDA requires the same requirements of the Commissioner’s report be provided to the individual. 

The components of a PIPEDA Compliance strategy:         

  • Ensure record-keeping for all breaches are archived for up to 24 months  
  • Create a cybersecurity strategy for the storage of sensitive data 
  • Managing the development of an Emergency Response Plan 
  • Ensure legal compliance is up to date with GDPR and PIPEDA 
  • Identify and assign a data privacy controller in your organization  
  • Request third-party service providers access to the breach file  
  • A privacy toolkit is available here for organizations to live up to its PIPEDA responsibilities.  

Storagepipe can help!  

With the implementation of GDPR and the PIPEDA changes to personal data – organizations must take control of how they obtain and protect personal data. With Storagepipe, we ensure your data is secure so you can get back to business. If you need help with keeping your data safe or creating a PIPEDA compliance strategy – contact us today.  

Data protection for manufacturers is not easy. With increased cyber-attacks, regulation changes, shrinking budgets, and a complicated political cross-border environment – data protection can feel like just another burden on the IT team.

Today’s growing manufacturing organizations face IT challenges that include increasing costs, evolving business requirements and aging technology. Finding new solutions focusing on ensuring the right processes and technology are in place are important to the growth of many manufacturing organizations. With these in place, attention can be turned to the important business of innovation and attracting/retaining top talent.


A manufacturer becomes much more agile through finding solutions that not only improve process but also bring together all the information needed to develop new products faster.  They also want to get them through the supply chain and on to the customer more quickly and cost-effectively.

With malicious insiders, external hackers and natural disasters on the rise, manufacturers must be proactive in protecting their data to avoid losing their competitive edge and credibility in the marketplace.

For many IT departments, dealing with sensitive information and increased regulation around how the data is used and stored has created increased pressure.  With structured and unstructured data – like CAD files, source code, business processes, proprietary systems and formulas being the most valuable intellectual property for manufacturers, finding systems to identify sensitive data is key to protect organizations before a disaster happens.  But for many manufacturers, the solutions are not cost-effective and don’t integrate well with legacy systems.


While finding new solutions can be hard for IT teams, the need to keep production running during an upgrade, paired with the uncertainty of what happens when you mix old and new systems together can be daunting.

The reality is that a large proportion of manufacturing organizations have some sort of legacy system to maintain. Machines of various vintages and conditions, a Manufacturing Execution System, or an aging AS/400 can create more complexity and the need for comprehensive heterogeneous options as departments try to implement new solutions.


In the past, manufacturers simply had to pass an occasional audit if regulations were in place. With increased data breaches and the government taking a regulated stance on cybersecurity, manufacturing organizations have had to increase education and implement new regulations and standards that they are required to follow.

With the implementation of GDPR, many organizations are having to find new ways to protect customer data along the supply chain but understanding how the data is used and processed can be complicated.


The EU General Data Protection Regulation (GDPR) was created to strengthen how organizations handle the valuable personal data they are responsible for, whether they collect and process the data or contract a third party. Below are seven tips to help you get started.

Communicate – Before collecting personal data, explain what data you’re collecting, how you’ll use it, where it will be housed and who it may be disclosed to. If there is a breach, ensure you have a process to let people know within the 72-hour window.

Know what personal data means – GDPR protects people’s personal data. Take extra care of data regarding address, race or ethnicity, age, marital status, political opinions, religion (beliefs or non-beliefs), physical or mental health (including disability), sexual orientation etc.

Uphold individuals’ rights – Individuals are entitled to see what personal data you hold, where and how it is being used. They can also request to be forgotten which means you only have a short period of time to remove their information. Ensure your data is easily found and erasable – even when archived.

Data minimization – Don’t keep personal data for longer than is necessary; make sure that personal data is destroyed securely and in full.

Store information securely – Create new company protocols to increase data security. Use strong passwords and encrypt all personal data held on portable devices (such as laptops, memory sticks, and tablets).

Education – Ensure all employees understand the importance of keeping data safe and secure and what the processes are in regards to sharing and communicating data.


IT departments looking for technology to support new solutions while navigating legacy systems have found that cloud computing offers some compelling options. Depending on your needs, cloud hosting can help you keep costs down by decreasing your IT spend while providing a more flexible, agile and scalable option.

Cloud services also help to share data securely across platforms and with all partners, contractors, and suppliers while complying with strict regulations. The right service can provide organizations with a detailed audit trail to support demonstrating compliance in minutes.

It’s also important to understand when data is at risk. With ever-more sophisticated hackers going after important data, cloud technology can increase visibility. Utilizing data cloud services provides an easy, flexible and safe way to control, detect and respond to threats – both insider and outsider.

Although cloud and data protection technologies cannot solve all of the manufacturer challenges, they can contribute to innovative solutions that deliver the right goods to the right place at the right time—as quickly, reliably, cost-effectively, and secure as possible.


At Storagepipe, we do the work so you can get back to business. Our data protection and disaster recovery services provide the safe, secure and flexible controls to protect your structured and unstructured data against insider and outsider threats. With Storagepipe, rest assured your data is secured wherever it resides and wherever it is shared – across networks, storage, endpoints or in the cloud – across any operating environment.

Don’t let any disaster or data loss interrupt your business – talk to a Storagepipe expert today.

With the adoption of GDPR and the Canadian government providing regulatory support in combatting the threat of personal data protection, it’s a chance for organizations – both big and small – to create their own cybersecurity plan.

What can companies do to recognize and combat cybercrime and improve their cyber-education? Here are some tips and best practices that will help you and your company recognize cybercrime and combat the threats.

  1. Keep your team educated on cyber-awareness

Education and cyber-awareness is the best defense. Management and employees should be trained to understand IT governance issues and control solutions as well as recognize concerns, understand their relevance and respond accordingly. Firms should also invest in cybersecurity education programs for employees to learn how to protect their computer and personal information and how to be aware of the many hacktivists and cyber-criminals that scour the Web in search of targets and vulnerabilities.

  1. Collect and analyze security logs for suspicious or abnormal activities

Your IT team should be actively conducting security investigations, regular audits, log reviews, and easy monitoring.  Any seriously suspicious behaviour or critical events must generate an alert that is collected and analyzed on a regular basis.

  1. Keep systems and applications patched and up-to-date

Hackers, along with malicious programs or viruses, find vulnerabilities in software that they exploit to access your computer, smartphone or tablet. Installing updates fixes these vulnerabilities and helps keep you secure.

  1. Use strong passwords and keep privileged accounts protected

Reduce the risk of attacks using compromised privileged account credentials. Create an inventory of accounts, applying change management policies to passwords, and store passwords securely.

  1. Ensure strong encryption

Encryption keeps you safe. As the last and strongest line of defense in a multilayered data security strategy, encryption is used to safeguard customer data and help you maintain control over it. Encrypting your information makes it unreadable to unauthorized persons, even if they break through your firewalls, infiltrate your network, get physical access to your devices, or bypass the permissions on your local machine. Encryption transforms data so that only someone with the decryption key can access it.

  1. Third Party Management

Financial institutions should work with vendors to find tools that fit their requirements without the need to hire more IT personnel. Advanced data protection solutions can help to reduce the strain placed on the IT team and the security operations centre while keeping an organization’s sensitive information safely under lock and key.

We can help!

In the financial services industry, downtime can be detrimental to your reputation and businesses operations. Storagepipe’s backup and disaster recovery solutions can help. Our solutions seamlessly address your backup, recovery, compliance, security and archival requirements.

With many major financial institutions including credit unions, insurance, and financial services firms as clients, let us provide you with total peace of mind that your data is securely protected. Start your Storagepipe experience today.

Click here to read Part 1 and Part 2 of our series: Financial Services: Maintain control of your data in the face of an attack

In part one of our Financial Services series Maintain Control of your Data in the Face of an Attack, we discussed the different types of security threats you may face. In part two we will review the regulatory changes the GPDR has created for financial services firms and how the Canadian Government has responded to growing cybersecurity concerns.

General Data Protection Regulation (GDPR)

On May 25th, 2018, the GDPR came into effect providing EU residents with more control over how their personal data is used and stored. This new regulation has set the stage for companies across the globe to review their own data protection regulations.

Is the GDPR relevant for non-EU Financial Services firms?

For the financial services industry, the GDPR is very relevant to the client base. Major banks and financial services providers deal with the EU for various purposes, such as facilitating foreign direct investment, managing local investors and managing transactions between EU citizens/businesses and their counterparts. In each of these cases, the personal data of EU citizens is being collected and processed by a non-EU financial services provider

Data Breach

From a GDPR perspective, personal data breaches must be notified to the relevant supervisory authority no later than 72 hours after the data controller becomes aware of the breach. The Regulation distinguishes between the services being offered by the organization, meaning, essential services such as financial service providers must report cybersecurity breaches to the relevant authority at a national level (Article 33).

Want to understand the rules of GDPR? Click here to download our GDPR white papers.

GDPR also provides guidance on how to handle data breaches. For example, an infection by ransomware could lead to a temporary loss of accessibility if the data can even be restored from a data backup. However, a network intrusion still occurred, and notification could be required if the incident is qualified as a confidentiality breach (i.e. personal data is accessed by the attacker) and this presents a risk to the rights and freedoms of individuals.

If you’re in the process of aligning your financial services firm with the GDPR, especially in terms of data collection, storage and management, contact us for support with GDPR compliance across your systems.

Canadian National Security Concern

Recently, BMO and CIBC-owned Simplii, were both hit by a hacker who threatened to release 90,000 Canadians account information. Although the cause of the attack has not yet been released, it has raised several questions regarding server security and third-party contracts. If two of the largest banks in Canada were hit, how will small to midsized businesses stay attack free?

For this reason, the Canadian Federal Government is rolling out a new cybersecurity strategy designed to better protect the country and its citizens from the growing threat of online attacks and crime. The plan, $500 million over five years, includes a range of initiatives aimed at the public as well as businesses.

“Small and medium-sized Canadian businesses are the backbone of our economy but are also the most vulnerable.” Commented Byron Holland, president and CEO of the Canadian Internet Registration Authority. “Providing these businesses with cybersecurity strategies and resources is essential to holding back the tide of cyber threats.”

We can help!

In the financial services industry, downtime can be detrimental to your reputation and businesses operations. Storagepipe’s backup and disaster recovery solutions can help. Our solutions seamlessly address your backup, recovery, compliance, security and archival requirements.

With many major financial institutions including credit unions, insurance, and financial services firms as clients, let us provide you with total peace of mind that your data is securely protected. Start your Storagepipe experience today.

Sources include:


The financial services industry is a routine target for cybercriminals, more so than any other industry. From ransomware to phishing attacks, the first half of 2018 has seen a surge in cybersecurity activity with a significant breach in two of the largest Canadian banks. Cyberattacks may be unavoidable but, in an industry as crucial as financial services, firms must constantly be improving security efforts and ensure employees are armed with the best solutions to instantly respond in the event of the breach before important information is lost.

In part one of this series, we will discuss the different types of security threats you may face.  In part two, we’ll review the compliance and regulatory issues you may face when dealing with cybersecurity. Finally, in part three, we will learn the six steps to avoid cybersecurity risks.

What Are the Most Common IT Security Threats?

  1. Ransomware – Hackers sneak into computers and restrict the access to your system and files. Then they ask for a payment in exchange for regaining access to your system.
  2. Malware Infections – This is the common name given to several security threats that infiltrate and damage your computer.
  3. Pharming – Its objective is to convince you to visit a malicious and illegitimate website by redirecting the legitimate URL.
  4. Phishing – It consists of fake emails or messages that look exactly like emails from legitimate companies. You are deluded into thinking it’s the legitimate company and you may enter your personal and financial information.
  5. Computer Worm – A worm works on its own, lives in your computer, and propagates by sending itself to other computers.
  6. Spam – Spam occurs when you receive several unsolicited emails that will phish for your information by tricking you into following links.
  7. Distributed Denial-of-Service Attack – The attack strategy is to contact a specific website or server over and over again. It increases the volume of traffic and shuts down the website/server. The malicious user usually uses a network of zombie computers.
  8. Network of Zombie Computers – The malicious user takes control of several computers and controls them remotely.

Want to learn how to stop Ransomware and Malware Infections?
Learn how in our blogs.

Let Storagepipe help: 

In the financial services industry, downtime can be detrimental to your reputation and businesses operations. Storagepipe’s backup and disaster recovery solutions can help. Our solutions seamlessly address your backup and recovery, disaster recoverycompliance, security and archival requirements.

With many major financial institutions including credit unions, insurance, and financial services firms as clients, let us provide you with total peace of mind that your data is securely protected. Start your Storagepipe experience today.

When I was a young boy, I saw a sign on our street that said “free puppies”, with an adorable picture. Excited, I went to see my father and said “daddy daddy”, the puppies are free. Can I have one, pleeeeas?

My father reminded me that a puppy is a lot of responsibility. It’s not the cost of the puppy that matters. I also have to factor in things like food, vet bills, and the time and effort I would spend raising this pet.

This reminds me a lot of the current trend towards the commoditization of IT.

At an accelerating pace, business technology is becoming more accessible. And although this has done a great deal to make sophisticated IT systems easier to implement and manage, this convenience also brings its own challenges.

Today, many best-of-breed disaster recovery solutions are inexpensive and contain exciting, powerful and easy-to-use features. But you can’t just think of software licenses when evaluating disaster recovery solutions. You also have to factor in things like hardware, datacenter space, professional services, capital expenditures, vendor lock-in, lost productivity, security issues, and management overhead.

When you take all of the costs and hassles into consideration, the total cost of implementing and managing your own disaster recovery system can be much higher than the price of the price.

Also, the free puppy might be lacking some essential capabilities. Maybe it’s too friendly to guard your house, or maybe it can’t catch a frisbee. This is time and effort that you’ll need to invest in training.

Likewise, as your needs evolve, you’ll often find that there are some capabilities lacking in your DR plan. You’ll need to invest heavily in upgrades and training.

Do-it-yourself disaster recovery is a bit like a free puppy. It comes with lots of responsibility. If you’d like more peace of mind around your data protection, consider working with a backup and disaster recovery provider that can take on all of these responsibilities for you while providing you with all the benefits.

GDPR, a set of new rules for data collection and storage, took effect on May 25th, 2018. The purpose of the regulation is to provide individuals with more control over their own data and communicate how that data is collected, stored, processed and used – no matter the location.

For the first time, monetary sanctions of up to 4% of global annual turnover will apply to breaches of the regulation. It also includes additional measures to protect the personal data of EU citizens.

At Storagepipe, we understand the value of data to your organization and the serious implications of a data breach. Download our white papers now to learn about GDPR compliance and how we can help.

Imagine that 3 people want to each open a sandwich shop. One man is a butcher, another is a farmer, and the third is a baker.

The butcher is an expert with meats. The farmer is an expert with produce. And the baker is an expert at making bread. Each is the master of their specific domain.

Of course, each of these could learn the other’s trades. With a bit of effort, the butcher could learn to grow vegetables and make his own bread. But this would not be the best use of his talents. If all three shops operated this way, they would all be overworked and under-productive.

Instead, it would make more sense for all three of these experts to focus on their strengths, and team up with other experts to make up where they lack.

• The butcher could produce all the meats for everyone.
• The farmer could supply all the produce.
• And the baker could supply all of the bread.

By creating partnering up and relying on each other’s comparative advantages, all three businesses could collectively operate much more efficiently and profitably. When there’s synergy, everyone wins!

Most IT managers are fast learners with versatile skill sets. However, there are some projects and capabilities that might provide more business value than others or be better-aligned with their specific talents.

According to the theory of comparative advantage, the key to maximizing your effectiveness as an IT leader is to focus exclusively on those high-value activities that are best-aligned with your talents. Any other work should be outsourced or delegated.

For example, if your strengths are best-aligned around things such as infrastructure management, then it might make sense to outsource non-core activities such as backup and disaster recovery to a trusted partner that specializes in this domain.

By focusing on your comparative advantage, you can be more productive, free up more time, and achieve total peace of mind.

What would happen if the fire alarm in your office went off at this very moment? Would there be a mad rush for the doors, or would most people just ignore it and keep working until they smelled smoke?

As indicated by the Institute for Research in Construction, only about 25% of occupants react to fire alarms as if they were potential indicators of a real emergency. Instead, most people assume that the alarm is merely a drill.

In other words, fire drills DECREASE the life-saving effectiveness of fire alarms.

Here’s another example to consider.

In 2010, an 89-year-old patient died of heart failure at Massachusetts General Hospital. For 20 minutes, a series of alarms, beeps, and messages had been sending urgent warnings to the hospital staff. It was so distracting that an employee had to manually shut off the crisis alarm on the patient’s bedside monitor. Instead of taking appropriate action, these signals were ignored entirely.

These nurses weren’t evil or cold-blooded. Instead, they had become desensitized by years of constant false-alarms from oversensitive and malfunctioning medical devices. When an actual crisis was detected, everyone assumed it was simply a false alarm.

This phenomenon is called “Alarm Fatigue”, and it can easily lead to accidental data loss and failure of critical business systems.

As an IT administrator, you are constantly juggling priorities, multi-tasking and keeping up with unplanned work. Alarms are constantly going off; also, your job is to choose which fires are generally imperative.

In most cases, if you miss a legitimate alarm, the outcomes are generally minor. But there’s one area where the results can be very severe.

Compared to other conflicting responsibilities, backup and disaster recovery rarely feel like an urgent priority. But when they do become a priority, it’s usually too late to do anything about it.

To be an active IT leader, and respond more efficiently, you need to manage your signal-to-noise ration. Before you’re notified of an alarm, it helps to have someone that will verify and triage for you. You should only be notified of actual emergencies that require your immediate attention.

Specialization and delegation are an effective way to deal with alarm fatigue. When you delegate backup to a specialist, you can eliminate all of the distractions and conflicting priorities that might lead to alarm fatigue. Instead, you establish a consistent, repetitive process where every potential problem is proactively investigated and fixed. At that point, you can execute additional layers of auditing and monitoring to get any issues that might fall through the cracks.

By making this a dedicated and focused role within your IT function, you can significantly reduce the chances of alarm fatigue creeping into your backup and disaster recovery process.

Of course, this might not be a feasible option for most organizations. If you can’t afford to have a dedicated internal data protection and business continuity team, then outsourcing your backups to a dedicated provider can give you the same benefits as a fraction of the cost.

By outsourcing your data protection and business continuity to a specialized service provider, you can guarantee exhaustive protection and total peace of mind.

In 1992, the Royal Majesty cruise ship ran aground because of an electrical problem with their GPS system. Despite the fact that it should have been clear to any experienced crewmember that the ship had been veering off-course, most simply assumed that the GPS system would correct itself or someone else would take on the responsibility of fixing the problem.

Humans have a bias to trust computers over humans. And this bias grows over time, as computers continue to prove their accuracy and trustworthiness. When a human operator notices something wrong with an automated system, they are often likely to disregard reality and go with what the computer is saying.

This is an excellent example of the “Automation Paradox”.

As automation becomes more effective, the role of the human operator turns out to be more vital. In the same way that automation can create exponential benefits and efficiencies, it can also scale out the harm caused by human error and poor implementation.

In the early days of computing, mainframes were very expensive and difficult to use. Administrators took great care in their maintenance & implementation, and hacking was very unlikely. The process of provisioning a new machine could take months and required approval from many different departments. If these mainframes ever crashed, the company could still maintain some level of operations through their paper-based processes.

Today, virtualization makes it easy to launch new servers with default security settings quickly. IT departments must deal with virtualization sprawl, shadow IT, and employees working on unauthorized systems. Provisioning has become so easy that IT administrators are struggling to prevent new systems from getting added to the network. And as a result, tolerances for data loss, security breaches, and unplanned downtime have virtually dropped to zero.

A day in the life of the average IT manager often resembles the broom scene from Disney’s Fantasia.

Thankfully, the tools have also improved. Today’s IT administrators have access to backup and disaster recovery systems that are both – potent and elementary to use. But the automation paradox also applies to backup and disaster recovery systems.

If you can protect all of your virtualized systems from a single application, that’s great. But this also means that human error has the potential to cause much more damage. As your data protection and business continuity tools become more powerful, you likewise have a duty to be extra-cautious with their management, monitoring, and implementation.

This is why we recommend delegating your data protection and business continuity to a dedicated specialist that exclusively does this kind of work, and nothing else. When you outsource your backup and disaster recovery to a specialist, you know that this work is being done by dedicated experts who have the training, experience, and resources to ensure that your systems are always protected.
When disaster strikes, you can take comfort in the fact that these specialists perform real-world recoveries every day. They know how to take care of business right, inevitably, without fail.

You need the best automation tools. But they have to be managed by the best-trained and most skilled technicians. The more efficient the automation, the more crucial the role of the human operator. If you want total peace of mind, make sure that you have the best people implementing, managing and monitoring your backups.