Click here if you are having trouble viewing this message.
News from HUB Employee Benefits
April 2018 | Issue 26

Data Breach: Notification Requirement Coming to All Canadian Companies

Three years after the Digital Privacy Act became law in 2015, Canadian companies will be required to notify consumers when their personal information has been compromised. Such regulations already exist for public organizations in Canada, however all businesses in every sector are now expected to be impacted by mandatory breach notification requirements. Companies in all provinces except Quebec, Alberta and British Columbia – which have their own provincial privacy laws – as well as all federally regulated firms will be covered by the data breach notification requirements.

Effective November 2018, companies must inform Canadians when their data has been compromised, according to the new rules, “as soon as feasible after an organization determines that a breach has occurred”. When a data breach has occurred that would be “reasonable to believe the breach creates a real risk of significant harm” to the affected individuals, companies will be required to issue notifications that include:

  • A description of the circumstances of the breach
  • The timeline during which the breach occurred
  • The personal information that was breached
  • The steps the organization has taken to reduce the risk of harm
  • The steps the affected individuals can take to reduce the risk of harm resulting from the data breach
  • A toll-free number or email address that the affected individual can use to obtain further information
  • Information about the organization’s internal complaint process
  • The individual’s right, under the Act, to file a complaint with the Commissioner

The notification is required to come directly to each and every individual’s attention via email, mail, telephone or in person, except for circumstances outlined in the Act. The provisions also contain rules for when Canadian companies must notify the Privacy Commissioner about a breach.

HUB's Canadian Cyber Risk Experts have outlined the below steps businesses should take prior to November 1, 2018:

  • Determine your obligations under the new laws and regulations;
  • Review, update or develop policies and procedures to meet your new obligations, including: risk assessment, notification to individuals, reports to regulatory bodies, notices to third parties, and especially record keeping;
  • Review your incident response plan. It should have a clear framework to identify the steps your business will take when a breach occurs;
  • Identify outside specialists who can assist your business in preparing and responding to breaches;
  • Implement appropriate training and awareness programs for anyone in your organization that handles sensitive information on behalf of the organization;
  • Ensure you have acquired proper Cyber Liability Insurance coverage.

Cyber risk is a new reality facing all businesses in Canada. Cyber liability insurance is associated with this risk and provides means to pay for such expenses and losses, however a Data Breach Response Plan is a critical step that is set to become a requirement.

Please contact your HUB consultant with any questions regarding your Cyber Liability coverages options or developing your Data Breach Response Plan.


Understanding Reasonable and Customary Limits

Kristine Cockell, Senior Client Service Specialist, HUB International

Most people are aware of the Fee Guides used by insurance carriers to limit coverage for Dental codes based on the suggested levels provided by the Dental Association. Many are not aware that insurance carriers also apply limits under the Extended Health coverage, such as paramedicals and medical appliances and services, based on Reasonable and Customary (R&C) limits.

R&Cs are based on geographical location and can vary slightly by carrier. A R&C is based on the price that is common within a specific geographic or socioeconomic region as well as the published fee guide from applicable professional associations (e.g. Provincial Physiotherapy Associations). The application of R&C limits is a standard practice in group benefits.

Most practitioners charge within the R&C fee range. If they choose to charge above the R&C, the claimant is responsible for the additional cost. For example, if a claimant decides to have a one hour massage at an exclusive Spa in downtown Toronto, and is charged $150, the claimant will be reimbursed based on the R&C amount which may be $100 and is subject to the benefit plan’s yearly maximum.

Insurance carrier’s use R&C limits to prevent practitioners from charging more than that fair market value for services which could financially impact benefit plans. R&C levels are continuously monitored and adjustments are made as required. Due to the vast number of R&C limits, most carriers do not publish their R&C limits. However, claimants can contact their group carrier directly to confirm the R&C limit for the services they use.

Consistent communication key to mitigating member panic amid market volatility

Scott Anderson, Vice President Group Retirement HUB International, as published in Benefits Canada

With markets showing signs of potential extreme volatility in recent weeks, how can employers address the many questions that arise from pension plan members?

When speaking to members, consultants usually emphasize advice on asset allocation based on age and risk tolerance. Many members aren’t honest in their responses, often overstating their tolerance for risk because markets are typically on the rise. But when there’s a retraction in the market, they realize they’re not actually a risky investor. So what are plan sponsors’ responsibilities to members in that scenario?

First of all, it’s important to remember that plan sponsors can’t provide investment advice to members. They aren’t licensed to do so and could face company liability if they do. Instead, employers should be telling members to contact a professional for advice.

Some plan sponsors may choose to do nothing. Sometimes, a memo to members can create unnecessary panic, prompting them to sell out of equities and into investments such as money-market funds. That approach can lead to missed opportunities and lower returns, as timing the market is rarely the right move in such scenarios.

Plan sponsors should be reminding employees about successful investing techniques. They include ensuring the correct asset allocation for their age and tolerance, continuing to contribute during downturns and diversifying across geographies and industries. While those are good reminders, they may come too late if plan sponsors send them out to plan members as a downturn occurs.

Instead, plan sponsors should be hosting regular education sessions for employees. When they provide continuous education, they significantly reduce the need to create reactive communications materials. As well, regular and appropriate education can ensure members are choosing the correct asset allocation for their risk tolerance.

(continued at the following link)


Three ways to encourage employees to take better care of themselves

Karley Middleton, Health & Performance Consultant, HUB International, as published in Benefits Canada

Financial drain, emotional turbulence and tested physical limits are common challenges in the early months of the year. For employees to successfully transition out of that state towards a year of productivity, health and growth, they need to feel supported in prioritizing taking care of themselves.

One issue that commonly comes up in the early months is how people are doing on the new year’s resolutions they made in January. Research published by the University of Scranton estimates approximately 40 per cent of Americans make new year’s resolutions and fully intend to keep them. However, only nine per cent of that group will actually achieve their resolution, a fact that’s sure to lead to even more feelings of stress, depression, anxiety and isolation. While some people expect immediate gratification for their efforts, for most life-altering changes, the progress is much slower but no less impactful on their overall quality of life.

Employees can’t leave those feelings at the office door, so it’s in an employer’s best interest to encourage everyone to dedicate appropriate time and effort to caring for themselves. That means advising employees on how to maximize the time they have to themselves and carve out more of it when required.

A few small behaviours can make a real difference in a person’s ability to get back on track. Here are three ways to encourage employees to take care of themselves:

Practice True Mindfulness
Most people in a state of despair will say they’re incredibly aware of what’s going on around them but they’re only focusing on problems, challenges and other negative forces. Encourage employees to acknowledge the positive factors in their situations as well, and more often than not, they’ll find balance. A practice that will benefit anyone, mindfulness is an area where employers can launch programs with no concern about missing the mark.

Get Enough Sleep
Those who truly believe they don’t require at least seven hours of quality sleep per night in order to function at the best of their ability are kidding themselves. Unfortunately, employees aren’t the only ones affected by that disillusion. It’s likely that co-workers, human resources staff, family members and friends all notice the times their poorly rested brains and bodies fail to perform.

(full article at the following link)