In this webinar recording, hear from our cloud solutions expert, Paul Fihrer, on how to move to a Private Cloud, and how Abacus Private Cloud helps you comply with laws like PIPEDA (Personal Information Protection and Electronic Documents Act).


Video Transcription

Hello everyone and thank you so much for joining us today. My name is Kalei White, I am a marketing coordinator here at AbacusNext. In today's webinar, we will be discussing Canadian data hosting, all the things you need to consider, compliance, regulation issues, and more. We have with us Paul Fihrer, he's a senior solutions consultant based in our Toronto office so he is our expert on today's subject matter.

Hi everyone, I'm Paul. Yes, we're going to be talking about understanding Canadian data hosting. Before I start, I'll just introduce myself. I'm Paul Fihrer a senior solutions consultant. I've been with the company for three years and I am very familiar with Canadian data hosting and privacy act. I will talk about it with respect to the law. I did this presentation with respect to law firms but as we've had an uptake on talking to accountants I will talk a little bit about accounting firms because I have been, over the last probably 6 to 8 months, talking to accountants so if there are accountants on the line I will slip in a couple of references to accountants.

Let's start off with a couple of acronyms. The last time I did this presentation I did talk about what I call my pet peeves, which are acronyms because people throw them out there all the time, but sometimes not everyone knows what they are. There's a bunch of acronyms here. I'm going to assume that everybody can read. PIPEDA or PIPEDA depending on how you pronounce it is Personal Information Protection and Electronic Document Act. Pretty much, for the most part, that's what I'm going to talk about today from a privacy act perspective. The one other one that's really important is the one at the bottom, the Personally Identifiable Information, which is PII. Those who are probably the two most important that you need to understand. Why are those important? I'm going to really talk about.

The other acts roll down into the provincial, into the provinces. In a nutshell, PIPEDA is a federal act. Some of the PIPEDA acts roll down into the province. I'm going to explain these acts, why they're important. The PII act actually rolls into PIPEDA and actually is the single most important thing that you need to understand, why hosting in a data center is important to you. I will explain that at the end, why it's so important.

What is PIPEDA and why is it so important? Really it relates to data privacy and how you govern it, how you collect it, and how you collect personal information in a nutshell. There is a whole website dedicated to this. I have some references actually at the back of the PowerPoint presentation, but in a nutshell that's really what this act basically says. Really it's you have to get consent to collect this information in Canada, you have to use it for a specific purpose, it has to be correct, and most importantly it has to be kept securely. I'm going to talk about security a couple of times in this. What most people don't understand or sometimes don't realize is that yes, you're collecting data but keeping it secure is incredibly important and it most importantly is your responsibility.

Right at the bottom there it says, fully accountable and responsible for the protection of said data. Actually, on the website that actually maintains all this information is, it is your responsibility to protect the data. I'm talking specifically about electronic data, but on a side note it is also your responsibility to protect the non-electronic data. Just on a side note, if you had taken a credit card and somebody physically faxed it to you and it's on a piece of paper it is your responsibility to actually lock that piece of paper away or shred it. It encompasses both electronic and physical information.

What data is protected? Really when we're talking about PIPEDA it's personally identifiable information. When we're talking about client data it's actually fairly broad. You wouldn't think about it, but we're talking about things like age, name, IDs. In Canada, it's the SIN, a person's name, their age, employee information. Then all the information. From a lawyer's perspective if you're talking about medical records, if you're talking about medical malpractice all of the medical information. If you're talking about family law, salary information. If there are children involved the children's names, the children's date of birth, all the house, asset information. If you're talking about real estate anything to do with house information that you're capturing from a transaction or a leasing transaction.

If you're talking about it from an accounting perspective then you're talking about all the tax information that you're capturing. A crossover one that I know of from a client's perspective if you are a tax accountant that is also a tax lawyer then you're talking about both information from a cross perspective. Any information that you're capturing from a service industry where you're capturing client information you have to not only house that information but make sure that it secure, protected, up-to-date, and you have to reasonably certify that it is protected.

Are all the laws the same across Canada from Vancouver to Halifax or to St. John's, I should say? They are not. Let's start off with the federal act. The federal act actually is adopted by all provinces and territories but they actually roll down to the provincial acts so let's talk a little bit about that. I think it's these five. One, two, three, four... these five provinces are the most stringent. With Québec, BC, and New Brunswick... sorry, and Alberta being the most stringent of all three mostly because BC actually took on the act first they were the leaders in the industry of taking on this information.

If you look at their website just from an information perspective they have the most consolidation information and if you actually look at the trend, and I'll talk a little bit about this in the next slide, most provinces and territories have actually taken on what BC did just from a trend perspective and have mirrored what BC and Alberta have done, and have said, "Okay, whatever they've done we've taken on." I would say Ontario is probably the loosest, and when I say the loosest, have the least regulations. They are catching up, however, from a regulations perspective. Again, you still have to adhere to all the acts.

They are slightly uneven but I would say these five provinces from a regulations perspective are the most stringent and require you to have the most up-to-date regulations, up-to-date data protection from all of the privacy acts. I'll just give you a second to read. Again, I'm not going to read all the slides but I want to make sure you're seeing all this information in its entirety.

One of the things that I actually do want to make a point of is that it is a misnomer, and I do hear this from prospective clients and clients about again those three asterixis there but, it only applies to federal employees. This is not true. It does apply to both federal and business. If you are doing business in all provinces you do need to protect all client data. Another thing that I do here often, and I'll just mention this, I can't remember if I actually wrote this in the slide deck earlier on, that data has to be kept in Canada. This is somewhat true but there are some regulations that allow you... Sorry, I shouldn't say in Canada, in BC.

If you are on this call and you are in BC, because I don't know where everybody is, and you say that, "I'd like to move my data into a data center and the data center's not in BC," that's not necessarily true and if you are a Federal employee on this call and you're saying, "My data has to be kept in BC," that's not true. You can actually get a document from your institution saying that, "We would like to move our data into a data center," if it's in Canada that's not a problem actually. As long as the data is in Canada and the data center is in Canada that's okay.

In a nutshell, other provinces and territories have similar acts that closely represent PIPEDA but they're not as stringent as the others. That's all this really says. I wanted to make sure that I added all the other territories, I didn't want them to feel left out.

I did want to mention because this was somewhat targeted to the legal space and when I originally did this I did this for the legal space so I wanted to encompass the law societies. Again, as I said, British Columbia has the most stringent laws and I wanted to point out a couple of things. They are the leaders when it comes to this, when it comes to data privacy. There is quite a lot written on this. Both British Columbia and Alberta everybody pretty much rolls up to the sea when it comes to the Law Society, BC and Alberta. From a data privacy perspective they say pretty much the same thing, that as long as the data is secure and you are taking reasonable and understandable rights to protect your data, and the data is secure, and your client has given you the rights to, again this comes back to PII, then you are protected. That's both at a local level and at a secure level. The key here, and I'll come back to this, is you have to take reasonable expectations to protect the data.

What next? Let's talk about this. What does reasonable expectations take? We hear this in the news on a regular basis about cyber threats. I think the latest statistics were between 50 and 60% of people out there either know or unknowingly don't know that they have been hacked with a cyber threat. There are lots of different types of cyber threats out there and vulnerabilities out there. Everything from malware to credit card theft. If I can think of some recent, Equifax didn't even know it happened until after the fact. That's the biggest problem, is I call it reactive versus proactive management of data.

When we're talking about data: it's am I running an up-to-date antivirus? Am I running an up-to-date malware protection? Am I proactively managing and monitoring my systems on a minute to minute, hour to hour, day to day basis? Do I know that my systems are up-to-date? Do I know that my hard drives are healthy and being managed properly? This is just a number of threats out there. Do I know that this information's being managed properly?

When you have a local managed infrastructure that nobody's looking at until something happens that's called a reactive them. As I start going through this presentation and I'm getting to the point now where I'm going to start talking about the data center, our data centers are managed 24 hours a day, 7 days a week, 365 days a year. We have people in the data center that are looking at the infrastructure, managing these cyber threats 24 hours a day, 7 days a week, 365 days a year. Making sure that your data is secure and encrypted all the way down to your device.

I've talked a lot about this and the reason I've talked about this goes back to the first slide, is reasonable expectation that the data is secure. That's why I've highlighted this one thing here. This is why have talked about proactive versus reactive approach. There's a bunch of topics that I've put up here on premise versus, what we call, the Abacus Private Cloud or hosting your information in a data center.

Obviously I'm talking about Abacus Private Cloud because we actually have people in our data center in Canada. Security is critical and you as an individual need to understand your security so if you're an accountant you understand how to do people tax returns, how to relate tax information to them. If you're a lawyer you understand the law and how to relay legal information to a client. Are you also and IT expert? If you're looking at that top line here it says, "Top talent comes with top cost and a niche skill may be very expensive to attach," that's you as in your field. That's us 24/7, 365 days a year, and that's what we bring to the table.

We are managing that 24 hours a day, 365 days a year in a data center. We are also securing your data, managing it in an infrastructure that's encrypted all the way down to the device. We have SOC 1, SOC 2, SOC 3. I'm throwing those terms out there because those are compliance terms that say that the data center is secure, has the right infrastructure, has the right security protocols in place, has the right auditing in place to manage security, credit card theft, somebody can't walk out the door with your server, just some of those kind of things in the infrastructure.

This is what I'm talking about. HIPPA, which is a US-based compliance. Ours is called, and I should've put it there, ISO 2007, PCI, DSS compliance, SSAE 16, SOC 1, SOC2, these are all very specific compliance rules that a data center needs to comply with, which no single one local environment can actually adhere to. All of these things that I've talked about: encryption, legal protection, biometric scanners, another one here you see behavior-based analytics we have software that is managing at a global level behavior analytics that will, hopefully, help with intrusion detection. Can we completely eliminate that? No, but we can eliminate a lot of that because, think about it, we have mass clients who are doing behavior analytics and we are capturing all those analytics and looking at multiple people's behavior.

Just to mention, we don't just run one data center. We have data centers across the world, we have data centers in the US, we have data centers in Canada, and we have data centers in the UK. This is not just Bob's data center in the back of my car or the back of my shop. We have hundreds of employees managing thousands of clients and this is a large infrastructure. This is what we do for a living and this is what we know, this is our expertise.

Just a little bit on the data centers themselves and what we do. We can add any application, any time. Security, endpoint security. Endpoint security means end-to-end security, so things like we use what's called Sophos security. Most people are familiar with things like Norton or Kaspersky, endpoint security; it's that kind of security. We're fully compliant. I've talked about 24 hours a day, 7 days a week, 365 monitoring.

Disaster recovery or business continuity. We support disaster recovery and business continuity, that's actually critical to understand. Those two are very different things. What that means is not only do we do backups on a daily basis for you so that's taken away and you can eliminate the worry of, "Oh, what happens if my system gets corrupted or a need to go and get a backup," we can also have built in business continuity. I can build in a six hour rolling back up so if my system does crash or I do get malware on my system I can actually restore from three hours ago or six hours ago.

Also, if my system is growing I don't have to go out and buy a new server we can scale this server to meet your growing or shrinking needs. It is also a turnkey solution, that's just a marketing term for saying that we have partnered with a lot of strategic partners, partners like Microsoft, partners with a bunch of different accounting applications like Intuit, like Sage and so we are a tier one partners so you're calling one single number and we will do the support with that one number. You don't have to call six different people. Then OpX versus CapX. You're not spending capital expenditure or you're not spending money up front, it's operating capital so it's a lower entry versus a larger entry and then carrying on spending that operating budget up front.

Just in conclusion, because I'm one or two minutes over here, we comply with the provincial laws, we comply with the federal laws, and we handle your data. The one thing I do want to mention, and this comes up on a regular basis, is you always own your data we are just the handlers of your data so you will always own your data in the data center. We are an end-to-end solution, which means we manage from your device all the way to the data center.


How do I get my data into the private cloud?

You would call one of the salespeople, or call into the 1-800 number that's on the screen there, and we would do an assessment of your environment, and we would customize a specific solution for you. Typically, once we've customized a solution for you we would send you an encrypted drive, and that drive then would be sent back to us, shipped overnight. After we've built the actual solution for you we would test it in conjunction with you, and we would make sure you've done some user acceptance so that it looks exactly the way that you want it to look. You would ship the drive to us, and then we would restore the data, and then we'd be up and running.

Do we support third-party products?

Yes, we do. We have a number of third-party products that we support directly like QuickBooks, like the Microsoft Office suite, if it's a product that we don't support we will typically work with that vendor so what we'll try and do is do like first level support and then work with that vendor to resolve that issue. Weave a number of third-party products that we don't directly support but we will work with them to support. That's all the questions that we have.

Thank you!