Is your business engaging in “cloud computing”? Probably.

July 27, 2009

Clouds 5 revised

Have you heard the term “cloud computing“, but aren’t really clear what it means?

Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.

Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.

Cloud computing is not new, but is now embedded into the fabric of modern business operations.  In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs. 

Privacy issues related to cloud computing, however, are profound. For example, many of the security questions that relate to traditional third-party data hosting were raised when a hacker broke into a Twitter employee’s work e-mail account and stole confidential company documents. The World Privacy Forum, meanwhile, has released a 28-page report on some of the privacy issues that relate to cloud computing. The report concludes that sharing information may expose some business users to liability, and emphasizes the importance of checking a cloud provider’s terms of service, privacy policy, and location.

Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.

They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach? 

2 Comments | Internet, PIPEDA, Privacy, Technology | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

Facebook criticized by Canada’s Privacy Commissioner: Canadian businesses can learn from high profile investigation

July 16, 2009

Academics - teachingThe Office of the Privacy Commissioner of Canada (the “OPC”) has just released an in-depth investigation report into a wide-ranging PIPEDA complaint by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) about the privacy practices of Facebook.  There is extensive domestic and international media coverage on this today including a story just posted by New York based Bloomberg News, which includes commentary by yours truly. 

While the OPC’s Facebook investigation should be a “must read” for all Facebook users, it also provides some insightful information for Canadian organizations regulated by PIPEDA. The lessons that can be learned from the investigation can be applied by Canadian businesses regardless of whether their activities are online or offline. 

Despite the fact that “[i]t’s clear that privacy issues are top of mind for Facebook…” federal Privacy Commissioner Jennifer Stoddart says that the OPC has found “serious privacy gaps in the way the site operates”. According to Stoddart, in order to comply with Canadian privacy law, Facebook must take greater responsibility for the personal information in its care.  An overarching concern of the OPC was that, although Facebook provides information about its privacy practices, it is often confusing or incomplete. For example, the “account settings” page describes how to deactivate accounts, but not how to delete them, which actually removes personal data from Facebook’s servers. The OPC recommends more transparency, to ensure that the social networking site’s nearly 12 million Canadian users have the information they need to make meaningful decisions about how widely they share personal information.

The investigation also raised significant concerns around the sharing of users’ personal information with third-party developers creating Facebook applications such as games and quizzes. (There are more than 950,000 developers in some 180 countries.) Facebook lacks adequate safeguards to effectively restrict these outside developers from accessing profile information, the investigation found. The report recommended a number of changes, including technological measures to ensure that developers can only access the user information actually required to run a specific application, and also to prevent the disclosure of personal information of any of the user’s friends who are not themselves signing up for an application.

The investigation also found that Facebook has a policy of indefinitely keeping the personal information of people who have deactivated their accounts, which is a violation of PIPEDA. The law requires organizations to retain personal information only for as long as is necessary to meet appropriate purposes. Recommendations to Facebook included the adoption of a retention policy whereby personal information in deactivated accounts is deleted after a reasonable length of time.

Click here to read the OPC’s News Release, here for the full investigation report and here to read a helpful backgrounder.  If you’d like to read more about Facebook, please click on the Facebook link under this blog’s Tags (below).

Leave a Comment » | Access to Information, Facebook, Internet, Online Reputation Management, PIPEDA, Privacy, Safekeeping, Security, Social Networking Websites | Tagged: , , , , , , , , , | Permalink
Posted by Brian Bowman

Portable Storage Devices (PSDs): Lessons learned from Australia and New Zealand

July 13, 2009

PDAs 8The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs.  PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.

The studies found that government agencies often keep track of the PSDs they issue but seldom do audit checks on those devices. Policies regulating the proper usage are often developed, but rarely enforced. Hardware controls (i.e. sealing off ports and disabling cables) are used less frequently than software controls (i.e. blocking access to certain databases, monitoring access and information downloaded, etc.).

The majority of agencies (like most private sector businesses in Canada) also allow the use of private PSDs for work (i.e. a cell phone which is used for both personal and business purposes). The studies found that policies regarding the use of private PSDs were less common and much less enforceable than policies for agency-issued PSDs. Even though these studies only analyzed governmental use, the New Zealand Privacy Commissioner stated that she believed the findings were equally applicable to private sector businesses as well.

As I’ve commented in previous posts, there are privacy risks associated with the use of PSDs. First of all, there have been numerous incidents of stolen laptops and other PSDs that contained personal information. Secondly, devices such as USBs are easy to lose. Thirdly, disgruntled employees can easily use PSDs to steal personal information and other confidential corporate information from employers.  For example, an employee can simply click a button and download a company’s entire database in a matter of minutes. This is called “pod-slurping” and is especially a threat given the fact that many government agencies and private companies do not have the software capability to track when data has been downloaded to a PSD.

In order to avoid a privacy breach and resulting damage to your business, consider implementing some of the suggestions contained in a 2006 investigation by the Alberta Privacy Commissioner (which I would add should, of course, be implemented in accordance with your organization’s privacy policy and applicable law):

  1. Develop policies on proper usage of PSDs (whether company-issued or private) and train employees about these policies. Include detailed instructions about retention and deletion of personal information;
  2. Limit the amount of personal information that is stored on PSDs;
  3. Use encryption on all PSDs that store personal information. Password protection alone is not sufficient as there are free software programs available on the Internet which can crack passwords;
  4. Monitor the use of PSDs through software (i.e. install software that tracks data downloaded from a database onto a PSD);
  5. Instead of using PSDs, implement technologies that allow employees to access a database through a secure network;
  6. With respect to laptop thefts, consider installing tracking software that can trace the location of a lost laptop. Also consider installing a “kill switch” so that the computer will self-destruct if an individual tries to gain unauthorized access; and
  7. Stress to employees the need to use appropriate safeguards at all times, even when at home.

Leave a Comment » | Access to Information, Privacy, PSDs, Safekeeping, Security, Technology | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Smartphones in the workplace: what’s your business doing to manage the risk?

July 6, 2009

Cell phonesRecently, an interesting article in the Globe and Mail dealt with the issue of smartphone etiquette. Business professionals fidgeting with their BlackBerrys and iPhones in meetings, walking through airports with eyes glued to their small glowing screens and operating their devices in restrooms may seem unrealistic at first blush, but is it really? The reality is that smartphones have permeated the business world. They are everywhere, they are powerful and have the potential to be extremely damaging.

Breaches of confidential corporate data and personal information are nothing new to the business world, but smartphones have brought a new dimension to the problem. Smartphones are starting to make appearances in Canadian court cases in a supporting role, but it won’t be long before they are squarely in the spotlight. The latest iPhone model has up to 32GB of memory while BlackBerrys can store vast amounts of data on memory cards. The equivalent of entire filing cabinets can now be carried around conveniently in your shirt pocket. This reality has increased the risk for massive privacy breaches in the blink of an eye.

The big question is how involved should employers be in regulating and monitoring their employees use of smartphones? All encompassing monitoring of employee smartphone use is a touchy area, but the permeation of smartphones in today’s corporate world and the corresponding risks to businesses necessitates (at the very least) that relevant guidelines concerning their use in the workplace should be implemented by employers. All it takes to damage a business is for one employee to misplace their smartphone without having first activated their security settings.

1 Comment | Employee Monitoring, Privacy, Privacy Breach, Security, Security Breach, Smartphones | Tagged: , , , , , , , , | Permalink
Posted by Brian Bowman

Follow

Get every new post delivered to your Inbox.

Join 104 other followers