December 20, 2010
Recent news coverage about WikiLeaks has focused on the leaked documents and ethics, or lack thereof, of WikiLeaks’ founder, Julian Assange. Rightfully so.
The formerly classified documents are tantalizing and the story behind Assange and his WikiLeaks website is fascinating. But amidst the media chatter about the damage inflicted by WikiLeaks itself, the circumstances surrounding the initial release of secret documents from the U.S. government to WikiLeaks should provide a wake up call for other governments and corporations here at home.
Read more>>
Leave a Comment » | 
Access to Information, Data Protection, Employee Monitoring, Safeguarding, Safekeeping, Security, Security Breach, Technology | Tagged: Access to Information, Corporate Information, Information Technology, Safeguarding, Security, Workplace Surveillance | 
Permalink
Posted by Brian Bowman
October 8, 2010
The recent headlines over the Veteran Affairs Canada privacy breach should serve as a useful reminder to all organizations – public and private sector – of the necessity to implement internal policies and procedures for the management of personal information. Much attention is paid these days by the media to privacy breaches that involve external parties, such as hackers, who foil the security safeguards of organizations. However, in my experience the bigger threat to privacy if often from within an organization.
In this recent case involving Veteran Affairs, a veteran had filed a complaint with the Office of the Privacy Commissioner of Canada (“OPC”) alleging that Veterans Affairs had violated the Privacy Act by including excessively detailed and sensitive medical information in briefing notes to the Minister of Veterans Affairs. The complainant also alleged that Veteran Affairs had transferred his medical file to a hospital administered by Veterans Affairs without his consent.
The OPC has issued the following formal recommendations to Veterans Affairs, but they should also serve as useful recommendations to other organizations:
- “Take immediate steps to develop an enhanced privacy policy framework with adequate protections and controls to regulate access to personal information within the department.
- Revise existing information-management practices and policies to ensure that personal information is shared within the department on a need-to-know basis only. Personal information, including but not limited to sensitive medical information, should not be shared with programs that have no operational requirements for access to such information.
- Provide training for employees about appropriate personal information-handling practices.
- Review procedures to ensure that consent is obtained prior to personal information being transferred to veterans’ hospitals.”
Leave a Comment » | Access to Information, Data Protection, Due Diligence, Government, Privacy, Privacy Breach, Privacy Commissioner of Canada, Safeguarding, Safekeeping, Security Breach, Training | Tagged: Access to Information, Due Diligence, Personal Information, Privacy Commissioner, Privacy Compliance, Safeguarding | Permalink
Posted by Brian Bowman
October 6, 2010
CBC News is reporting that ”[g]arbage bags filled with confidential financial information were found blowing around in a [Winnipeg] North End back lane Tuesday, and people living in the area say they’re furious because of it. The bags contain tax return documents that include people’s names, social insurance numbers and in many cases, addresses and other sensitive financial information.”
This and other similar news stories should serve as a reminder that PIPEDA requires organizations to exercise care in the disposal or destruction of personal information to prevent unauthorized parties from gaining access to the information (for example, don’t dispose of sensitive tax information records in a back lane). Other provincial laws, such as Alberta’s PIPA and B.C.’s PIPA, have similar requirements. Disposal or destruction policies and procedures should focus on physical, organizational and technological measures.
Leave a Comment » | Identity Theft, PIPEDA, Privacy, Privacy Breach, Security Breach | Tagged: Due Diligence, Identity Theft, PIPEDA, Privacy Compliance, Safeguarding | Permalink
Posted by Brian Bowman
September 16, 2010
PriceWaterhouseCoopers (PWC) has just released its Global State of Information Security Survey, which says that corporate spending on data security will increase sharply in the coming years. ComputerWeekly.com reports that more than half of respondents to the PWC survey say that their companies plan to spend more on technological defences against security breaches, an increase of 14% from last year. The survey also reveals that the impact of security breaches is growing. According to ComputerWeekly.com ”the number of companies reporting financial losses from data breaches increased 6% in the past year to 20%, up from only 8% in 2008. Intellectual property theft has increased to effect 15% of companies reporting data breaches, up from just 5% in 2008. An increase in the number of sophisticated attacks aimed at stealing information from specific companies is also driving increased security spending according to the Financial Times.”
The PWC survey demonstrates that spending is shifting to monitoring of company networks, at a time when more employees are bringing their own PDA’s and computers into the workplace. But as PWC states, businesses should be making employees the first line of defence against data leaks.
The PWC survey and commentary serves as a reminder of the need to focus resources for data security (and privacy law compliance) strategically. This means investing in technological safeguards but it should mean investing in privacy training for your staff. It’s an important point because so many of the privacy breaches these days result from mistakes, or human error, by one’s own employees. I’d suggest that you compare your organization’s line item for network monitoring with your line item (if it exists) for privacy training. Are your privacy risk mitigation efforts as strategic as they could be?
Leave a Comment » | Due Diligence, Intellectual Property, Privacy, Privacy Breach, Safeguarding, Security, Security Breach, Technology, Theft, Training | Tagged: Due Diligence, Employees, Information Technology, Intellectual Property, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
August 23, 2010
The CBC National News is reporting in this video news clip that the children’s retail store Please Mum has alerted its online customers about a privacy breach to its online customer database that occurred in early June. Despite the fact that the long-awaited amendments to PIPEDA (which will require organizations to notify affected customers when certain privacy breaches occur) have not yet become law, Please Mum has taken the initiative to alert its customers.
In the absence of specific legal requirements, the decision to notify customers when privacy breaches occur is not an easy task. Far from it. Factors that businesses should consider include assessing what personal information was compromised, the cause and extent of the privacy breach, the number of affected individuals and the anticipated harm that could result from the privacy breach.
Leave a Comment » | Online Shopping, Privacy, Safeguarding, Safekeeping, Security Breach | Tagged: Privacy, Privacy Breach, Security | Permalink
Posted by Brian Bowman
December 9, 2009
CTV News is reporting that the U.S. federal government improperly posted an internal guide to its airport passenger screening procedures on the Internet in a way that could offer valuable tools to terrorists. The guide was posted on the U.S. Federal Business Opportunity website, but the sensitive information (which was electronically redacted, or blacked out) was not properly protected. Some websites, using widely available software, were able to uncover the original text of sections that had been redacted.
This situation is an example of redactions gone terribly wrong! And it should serve as a reminder to public and private sector organizations to take extra care when making redactions in documents that will be released to third parties. Different redaction strategies can be implemented depending on the circumstances. One strategy that I implement when records will be posted online is to make my redactions and then physically scan the document and save it as a PDF. It’s a basic way to protect sensitive portions of records. Please feel free to post a Comment below with other suggested strategies for making secure redactions.
Leave a Comment » | Airport Security, Data Protection, Personal Information, Privacy, Redactions, Safeguarding, Security, Security Breach | Tagged: Airport Security, Data Protection, Personal Information, Privacy, Redactions, Safeguarding, Security Breach | Permalink
Posted by Brian Bowman
September 10, 2009
A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner.
In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007. The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information. A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted.
These incidents demonstrate how easily sensitive data can be compromised when stored on laptops. Encryption is a relatively easy way to improve the security of such information. But, where do you start? There are numerous encryption options available. Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.
Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, PSDs, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: Data Encryption, Data Protection, Due Diligence, Information Technology, Laptop, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance, Safeguarding, Security, Technology | Permalink
Posted by Brian Bowman
August 10, 2009
Have you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner.
PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years. To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested. A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.
Changes to PIPEDA may include:
- a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada;
- amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
- modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.
The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review. Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.
1 Comment | Government, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security Breach | Tagged: Businesses, Data Protection, Due Diligence, Employees, Identity Theft, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Compliance | Permalink
Posted by Brian Bowman
July 6, 2009
Recently, an interesting article in the Globe and Mail dealt with the issue of smartphone etiquette. Business professionals fidgeting with their BlackBerrys and iPhones in meetings, walking through airports with eyes glued to their small glowing screens and operating their devices in restrooms may seem unrealistic at first blush, but is it really? The reality is that smartphones have permeated the business world. They are everywhere, they are powerful and have the potential to be extremely damaging.
Breaches of confidential corporate data and personal information are nothing new to the business world, but smartphones have brought a new dimension to the problem. Smartphones are starting to make appearances in Canadian court cases in a supporting role, but it won’t be long before they are squarely in the spotlight. The latest iPhone model has up to 32GB of memory while BlackBerrys can store vast amounts of data on memory cards. The equivalent of entire filing cabinets can now be carried around conveniently in your shirt pocket. This reality has increased the risk for massive privacy breaches in the blink of an eye.
The big question is how involved should employers be in regulating and monitoring their employees use of smartphones? All encompassing monitoring of employee smartphone use is a touchy area, but the permeation of smartphones in today’s corporate world and the corresponding risks to businesses necessitates (at the very least) that relevant guidelines concerning their use in the workplace should be implemented by employers. All it takes to damage a business is for one employee to misplace their smartphone without having first activated their security settings.
1 Comment | Employee Monitoring, Privacy, Privacy Breach, Security, Security Breach, Smartphones | Tagged: BlackBerrys, Businesses, Employee Monitoring, iPhones, Privacy, Privacy Breach, Security, Security Breach, Smartphones | Permalink
Posted by Brian Bowman
May 21, 2009
The Manitoba Legislature is currently debating Bill 219 – The Personal Information Protection and Identity Theft Protection Act.
The Bill has been introduced as a private member’s Bill by Mavis Taillieu of the Opposition Progressive Conservative Party of Manitoba. It seeks to regulate the collection, use and disclosure of personal information by organizations in the private sector and is intended to be “substantially similar” to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). It would also establish a duty for organizations to notify individuals who may be affected when the personal information an organization has collected is lost, stolen or compromised. Such a requirement would be groundbreaking in Canada (notwithstanding Ontario’s Personal Health Information Protection Act, which has a mandatory breach notification requirement).
Regrettably, the Government of Manitoba indicated in the Legislative Assembly debate last week that it has two primary concerns with the Bill. The first concern is that the Bill lacks an independent oversight body such as a Privacy Commissioner of Manitoba. Legislative rules prevent private member’s Bills from containing financial penalties and so the Bill could not contain such provisions. However, the government could add those provisions in amendments. In fact, I assisted with the drafting of the Bill and would happily provide the government with the relevant provisions. The second concern raised by the government is that the Bill would introduce legislation in Manitoba that (according to the government) would regulate activities in the private sector already governed by PIPEDA. However, PIPEDA does not apply to the activities of private sector organizations in provinces such as Alberta and British Columbia, both of whom have Personal Information Protection Acts, because PIPEDA does not apply where “substantially similar” provincial legislation exists.
The Bill was first introduced in 2005 and since that time the need for such a law has significantly grown. It’s modelled after Alberta’s Personal Information Protection Act, which provides a more business-friendly and clear legislative scheme than PIPEDA. As I’ve previously argued, it would be good policy for the Government of Manitoba to support the Bill and I once again urge them to do so.
If you want a more business-friendly privacy law in Manitoba, I’d strongly encourage you to contact the Government of Manitoba and Mavis Taillieu to indicate your support.
Additional coverage on this topic by the Canadian HR Reporter here.
2 Comments | Employee Monitoring, Government, Identity Theft, Ombudsman, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security Breach | Tagged: Employees, Government, Identity Theft, Manitoba, Personal Information, PIPEDA, Privacy, Privacy Commissioner | Permalink
Posted by Brian Bowman
Recent news coverage about WikiLeaks has focused on the leaked documents and ethics, or lack thereof, of WikiLeaks’ founder, Julian Assange. Rightfully so.
