February 27, 2009
Do you ever wish you were Jack Bauer from the TV show 24? Here’s your chance!
There are a growing number of articles that are highlighting the threat of “cyber-terrorism”. It’s a scary topic that is surely consuming the time of government technology infrastructure professionals in the U.S. and Canada. Some of these articles discuss the remote possibility that terrorists may perpetrate cyber-attacks against critical online government and corporate infrastructure. Other articles discuss the very real possibility that terrorists may simply use the Internet (and the information contained online) to plan attacks in the real world. Don Cavender, a special agent and instructor with the FBI’s Computer Training Unit at Quantico, Virginia, is quoted in an excellent ZDNet article and says that “the worry right now is not so much a cyberterrorism event…but when the terrorists use the Internet to facilitate the planning of these attacks.”
We all know that the Internet is filling up with vast amounts of data including people’s personal information, as well as corporate and government data. The lesson that I take from all of these “cyber-terrorism” related articles is that businesses should make sure that they are working with technology professionals to secure their databases and limit the amount of personal information and corporate data available online. Of course, there are many reasons for businesses to secure their databases and to limit what information is available online. For example, privacy laws such as Canada’s PIPEDA regulate the safeguarding of personal information. And, there are good business reasons to limit the availability of proprietary corporate data online. But, if you ever wished you were Jack Bauer, then here’s your chance to fight terrorism…one corporate move at a time.
February 25, 2009
I chaired a lively Privacy Forum member meeting yesterday, which included a great discussion on how to get staff “buy-in” on privacy compliance. It’s an important topic because an organization can have comprehensive privacy policies and procedures, but if employees don’t “buy-in” they won’t implement the policies and procedures properly.
The important thing is to develop a culture of privacy within the workplace. Fostering a workplace culture where privacy is valued and respected contributes to good employee morale and mutual trust. It also helps employees to identify privacy issues before they become privacy complaints (which can result in costly grievances, lawsuits or settlements). After all, it’s employees that are on the front line with customers and how employees respond to privacy related questions or concerns can make a big difference.
When I conduct privacy training sessions for clients, I always remind employees that while privacy compliance is the law, it’s also important because good privacy practices can improve customer relations, increase efficiencies and mitigate time-consuming and costly privacy complaints. I also try to make privacy compliance fun! No, this is not a misprint…I said “fun”. Privacy Forum members had some great suggestions on how to make privacy compliance fun and, in doing so, help to get staff “buy-in” on privacy compliance.
Please post a Comment below on ways that you or your organization tries to get staff “buy-in” on privacy.
February 20, 2009
Privacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance. I certainly know from my practice that the costs to businesses can be quite significant when having to deal with serious privacy complaints. These costs can include settlements, legal fees and lost productivity. Obviously, it’s better to be proactive and reduce the chances of having to deal with privacy complaints. That’s where regular staff privacy training comes in! Businesses really should conduct staff privacy training on a regular basis – in my view, at least on an annual basis.
In a recent speech to the 10th Annual Privacy and Security Conference in Victoria, B.C., Privacy Commissioner Jennifer Stoddart commented, “Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws. This is a huge concern! We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor. It was an issue in more than half of the spills we examined! We found that very basic mistakes – human errors – often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.” The full speech is entitled, “A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?” and is definitely worth reading.
February 13, 2009
British Columbia’s Supreme Court has awarded a record-setting judgment of over $1 million to a B.C. businessman for invasion of privacy as reported by Canwest News Service.
In 2005, Hal Neumann’s home was searched by the Canada Revenue Agency, who were looking for records and documents he’d already given to the government. The CRA is studying the decision to determine if they will appeal.
This judgement is significant because it demonstrates that Canadian courts are now willing to award substantial damages for an invasion of privacy. Public bodies or private sector organizations in Canada that think privacy rights don’t have teeth should reconsider after seeing this groundbreaking decision.
February 12, 2009
If you’re from Winnipeg, you’re well aware of the terrible tragedy of Brian Sinclair, who passed away in the emergency department of the Health Sciences Centre after waiting to see a doctor for 34 hours. Manitoba’s NDP government and the Winnipeg Regional Health Authority (WRHA) have been dealing with the political and legal consequences since Mr. Sinclair’s death last fall.
I was asked yesterday to provide comment to the Winnipeg Sun on the validity of the government’s recent claim that it could not release the first administrative review into the tragedy because of privacy concerns. The story serves as a reminder to government bodies and businesses of the challenges (and need for expert legal counsel) when dealing with access to information and related privacy matters.
A separate story reported at TechCrunch demonstrates the risks when releasing redacted documents to the public. Canadian privacy laws typically require organizations to blackout, or redact, portions of documents that contain someone else’s personal information unless that person consents to its disclosure. It’s a time-consuming, but important, step that organizations need to take before disclosing documents under access to information legislation. But, as this story points out, organizations need to be very careful about how they redact!
February 12, 2009
Canada, U.S. laws on privacy complex
My September 3, 2008 column in the Winnipeg Free Press reports on the findings of the Privacy Commissioner of Canada regarding canada.com’s outsourcing to a U.S. based service provider. The finding highlights the complexities of Canadian and U.S. laws as they relate to the personal information of customers and reminds Canadian businesses of the need to have legal agreements with third party service providers, especially those located in the U.S.
February 12, 2009
Online shopping a risky transaction: Protect yourself from identity thieves
My November 5, 2008 column in the Winnipeg Free Press provides some tips on how to be a savvy online shopper and the benefits to online retailers of having sercure websites and comprehensive online privacy policies.