I was recently interviewed by CTV Rajeev Dhir and CBC Megan Benedictson regarding a pen-shaped ‘spy’ video camera discovered in the staff change room of a Winnipeg public swimming pool. Check out the links above if the story if of interest to you.
The formerly classified documents are tantalizing and the story behind Assange and his WikiLeaks website is fascinating. But amidst the media chatter about the damage inflicted by WikiLeaks itself, the circumstances surrounding the initial release of secret documents from the U.S. government to WikiLeaks should provide a wake up call for other governments and corporations here at home.
Some online banks, e-commerce merchants and Internet-based market research firms are turning to a new technology called device fingerprinting (or machine ID as it’s often called) for online verification and fraud detection. Unlike cookies, however, which can be blocked, filtered and deleted, device fingerprinting is invisible to consumers. For website owners that use the technology, adequate disclosures, consent and safeguards are required, at minimum, to comply with privacy laws.
In fact, device fingerprinting works so well that many businesses that use it might not even be aware that they’re doing so. Is your organization using the technology? If so, it’s vital that your organization’s use of device fingerprinting complies with applicable privacy laws.
To learn more about device fingerprinting click here to view a presentation that I recently delivered alongside Steven Johnston (Senior Security and Technology Advisor, Office of the Privacy Commissioner of Canada) and David Stark (CIPP, Vice President, Compliance and Privacy Officer, GFK Group) to the International Association of Privacy Professionals in Baltimore, Maryland. As you’ll see, the presentation includes an overview of device fingerprinting, identifies relevant privacy law issues (my contribution to the presentation), the OPC’s perspective and provides practical examples.
Thanks to the IAPP for the opportunity to present and compliments to Steven Johnston and David Stark for excellent remarks.
Does your office have a copy machine? If so, then this post is worth reading. CBC news has just released the results of an investigation that exposes the security risks associated with modern copy machines, specifically, the ease at which information scanned into certain copiers can be tapped. Just think about the information that gets scanned into your office copier. Personal information. Confidential corporate information such as client data. Even intellectual property. It’s a scary thought if you haven’t done your due diligence, especially considering that privacy laws can apply to certain data undoubtedly scanned into your copy machine. Check out CBC’s online story here or TV segment here. And if you’d like to learn more, you may also want to read my post from earlier this year which provided a link to a similar CBS news story.
PriceWaterhouseCoopers (PWC) has just released its Global State of Information Security Survey, which says that corporate spending on data security will increase sharply in the coming years. ComputerWeekly.com reports that more than half of respondents to the PWC survey say that their companies plan to spend more on technological defences against security breaches, an increase of 14% from last year. The survey also reveals that the impact of security breaches is growing. According to ComputerWeekly.com ”the number of companies reporting financial losses from data breaches increased 6% in the past year to 20%, up from only 8% in 2008. Intellectual property theft has increased to effect 15% of companies reporting data breaches, up from just 5% in 2008. An increase in the number of sophisticated attacks aimed at stealing information from specific companies is also driving increased security spending according to the Financial Times.”
The PWC survey demonstrates that spending is shifting to monitoring of company networks, at a time when more employees are bringing their own PDA’s and computers into the workplace. But as PWC states, businesses should be making employees the first line of defence against data leaks.
The PWC survey and commentary serves as a reminder of the need to focus resources for data security (and privacy law compliance) strategically. This means investing in technological safeguards but it should mean investing in privacy training for your staff. It’s an important point because so many of the privacy breaches these days result from mistakes, or human error, by one’s own employees. I’d suggest that you compare your organization’s line item for network monitoring with your line item (if it exists) for privacy training. Are your privacy risk mitigation efforts as strategic as they could be?
CBS News has an excellent investigative report here (on YouTube) about the security risks associated with copy machines. Members of the Privacy Forum will already know about this issue because we’ve previously highlighted it and relevant risk mitigation steps in the Canadian privacy law context. However, if you’re not aware of the issue then this report is a “must-see”.
In her remarks, Stoddart discussed the challenge of technology, globalized data flows and social change. While reflecting on her years as Canada’s “village elder” in the privacy community, Stoddart commented:
“When I took over as Privacy Commissioner, Facebook didn’t exist. Neither did Twitter, Flickr, YouTube, Google Street View, Foursquare, iPods and all the many novel ways in which people now routinely connect with the rest of the world. And it’s not just technology that’s different; it’s other drivers of change as well. Like real-time globalization, for instance, and the instantaneous worldwide flow of data. It’s the way people embrace and respond to technology. Their expectations of what the technology can do for them, and at what cost. Is it desirable, for example, to buy greater convenience at the cost of less privacy? In light of these colossal changes over the past decade alone, it would be foolish to try to predict what the next decade will hold. But what we can say for certain is that the regulatory framework we have in place now for the protection of privacy and personal information is already being sorely tested.”
Read the Privacy Commissioner’s full remarks here.
A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner.
In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007. The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information. A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted.
These incidents demonstrate how easily sensitive data can be compromised when stored on laptops. Encryption is a relatively easy way to improve the security of such information. But, where do you start? There are numerous encryption options available. Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.
Have you heard the term “cloud computing“, but aren’t really clear what it means?
Cloud computing is an umbrella term that refers to the use of Internet-hosted computer services. Think of your server — instead of having one in-house server located on company premises, an organization might opt to buy space on a third-party provider’s server. Other options include software hosting and data storage. By purchasing computing services from a variety of Internet-based providers, your computer needs are housed within a larger “cloud” of computer services.
Some organizations are opting for ”Software as a service” (SaaS), and allowing their data to reside on other company’s servers, or “the cloud“. Users only have to buy the space they need, which allows organizations to save money on their technology costs. Other benefits include access to people with technological know-how, flexibility and reduced maintenance costs.
Cloud computing is not new, but is now embedded into the fabric of modern business operations. In fact, the Los Angeles Times has reported that the city of Los Angeles is considering using Google applications for all of its software needs.
Canadian businesses that engage in cloud computing should be reminded that they must do so in compliance with applicable privacy laws. For example, the Personal Information and Protection of Electronic Documents Act obliges organizations that transfer personal information to third parties to ensure appropriate security safeguards are in place.
They should also be mindful of the raging debate about the perils of cloud computing that has been underway now for some time. While cloud computing has the potential to provide benefits, organizations should ask themselves whether it is worth the risks it poses. You might save money in the short run, but is it worth the potential of a massive privacy breach?
Today’s National Post story about a Nova Scotia judge’s decision to allow the publication of a private conversation between Natural Resources Minister Lisa Raitt and her former aide casts a spotlight on a murky area of privacy law.
As reported by the National Post, the unusual case raises questions about what constitutes a “reasonable expectation” of privacy in a world where digital recorders and handheld wireless devices are omnipresent. As I’m quoted in the story, “[researchers] said some years ago that new privacy rules were going to put existing business practices under a microscope. I think what we’re seeing now is technologies are putting existing legal principles under a microscope.” Fellow blogger Dan Michaluk is also quoted.
Read the full story here…