“I am deeply troubled by the large number of major breaches we are seeing, including serious incidents in recent weeks that have affected hundreds of thousands of Canadians,’’ Jennifer Stoddart said in a speech today at the Canada 3.0 forum in Stratford, Ont. “It seems to me that it’s time to begin imposing fines – significant, attention-getting fines – on companies when poor privacy and security practices lead to breaches.” To learn more, read the complete news release.

The formerly classified documents are tantalizing and the story behind Assange and his WikiLeaks website is fascinating. But amidst the media chatter about the damage inflicted by WikiLeaks itself, the circumstances surrounding the initial release of secret documents from the U.S. government to WikiLeaks should provide a wake up call for other governments and corporations here at home.

Read more>>

In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.

The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:

• “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
• Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only.  Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
• Provide training for employees about appropriate personal information-handling practices.
• Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”

From today’s news release:

The Honourable Tony Clement, Minister of Industry, and the Honourable Denis Lebel, Minister of State (Economic Development Agency of Canada for the Regions of Quebec), today announced two steps that the Government of Canada is taking to enhance the safety and security of the online marketplace. Together, the tabling of amendments to the legislation protecting the personal information of Canadians (Personal Information Protection and Electronic Documents Act, or PIPEDA) and the reintroduction of anti-spam legislation in the House of Commons (the proposed Fighting Internet and Wireless Spam Act, or FISA) are important steps towards positioning Canada as a leader in the digital economy.

Here’s the full Industry Canada news release.

(Hat tip to David Fraser’s Canadian Privacy Law Blog )

The privacy commissioners’ letter states, “we are increasingly concerned that, too often, the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications. We were disturbed by your recent rollout of the Google Buzz social networking application, which betrayed a disappointing disregard for fundamental privacy norms and laws… Unfortunately, Google Buzz is not an isolated case. Google Street View was launched in some countries without due consideration of privacy and data protection laws and cultural norms. In that instance, you addressed privacy concerns related to such matters as the retention of unblurred facial images only after the fact, and there is continued concern about the adequacy of the information you provide before the images are captured… We therefore call on you, like all organizations entrusted with people’s personal information, to incorporate fundamental privacy principles directly into the design of new online services. That means, at a minimum:

The privacy commissioners’ demand that Google and other organizations better incorporate privacy into the design of new online services underscores the need for the “Privacy by Design” initiative that Ontario’s Information and Privacy Commissioner recently discussed in my “A Conversation with Dr. Ann Cavoukian” post. All organizations, regardless of their size (after all, we’re all not Google), would be well-advised to learn from today’s “buzz” about Google Buzz.

Read the Computerworld article here!

This situation is an example of redactions gone terribly wrong!  And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records.  Please feel free to post a Comment below with other suggested strategies for making secure redactions.

More disturbingly, 51% said it’s “easy” to take sensitive information out of their company and, as reported by Out-Law.com, 85% were aware that it’s illegal to download corporate information.  The favoured medium for stealing corporate information is a USB memory stick followed by e-mail. 

As I’ve mentioned in previous posts rogue employees pose a risk to privacy compliance and, as a result, corporate information requires safekeeping.  In today’s economy, information is the most valuable corporate asset.  For this reason, businesses of all sizes should take proactive steps to protect corporate data.  Whether it’s customer or supplier lists, intellectual property or employee personal information, it’s information that needs safekeeping, especially when we see statistics like those reported above.

The Global Recession and its effect on Work Ethics

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

Thanks to the bill, titled An Act to amend the Criminal Code (identity theft and related misconduct), there are now three new Criminal Code offences related to identity theft:

• Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime;
• Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information; and
• Unlawfully possessing or trafficking in government-issued identity documents that contain information of another person.

Before Bill S-4 came into effect, police had to use other Criminal Code provisions to target identity theft. Today’s development should help law enforcement officials attack a growing problem: the Canadian Council of Better Business Bureaus has estimated that identity theft may cost Canadians more than $2 billion annually.

In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.