Fines needed to help stem growing data breaches, Privacy Commissioner says

May 4, 2011

The Privacy Commissioner of Canada has called for legislation empowering her to impose substantial fines against major corporations that fail to adequately protect Canadians’ personal information from preventable breaches.

“I am deeply troubled by the large number of major breaches we are seeing, including serious incidents in recent weeks that have affected hundreds of thousands of Canadians,’’ Jennifer Stoddart said in a speech today at the Canada 3.0 forum in Stratford, Ont. “It seems to me that it’s time to begin imposing fines – significant, attention-getting fines – on companies when poor privacy and security practices lead to breaches.” To learn more, read the complete news release.

Leave a Comment » | Privacy, Privacy Breach, Data Protection, Privacy Commissioner of Canada, Legislation Update | Tagged: , , , | Permalink
Posted by Brian Bowman

How safe is your scan? Hard drives on copy machines pose risk

October 20, 2010

Does your office have a copy machine? If so, then this post is worth reading.  CBC news has just released the results of an investigation that exposes the security risks associated with modern copy machines, specifically, the ease at which information scanned into certain copiers can be tapped. Just think about the information that gets scanned into your office copier. Personal information. Confidential corporate information such as client data. Even intellectual property. It’s a scary thought if you haven’t done your due diligence, especially considering that privacy laws can apply to certain data undoubtedly scanned into your copy machine. Check out CBC’s online story here or TV segment here. And if you’d like to learn more, you may also want to read my post from earlier this year which provided a link to a similar CBS news story.

Leave a Comment » | Data Encryption, Data Protection, Identity Theft, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security, Technology | Tagged: , , , , , , | Permalink
Posted by Brian Bowman

Privacy breach notification: to notify or not to notify?

August 23, 2010

The CBC National News is reporting in this video news clip that the children’s retail store Please Mum has alerted its online customers about a privacy breach to its online customer database that occurred in early June. Despite the fact that the long-awaited amendments to PIPEDA (which will require organizations to notify affected customers when certain privacy breaches occur) have not yet become law, Please Mum has taken the initiative to alert its customers. 

In the absence of specific legal requirements, the decision to notify customers when privacy breaches occur is not an easy task. Far from it. Factors that businesses should consider include assessing what personal information was compromised, the cause and extent of the privacy breach, the number of affected individuals and the anticipated harm that could result from the privacy breach.

Leave a Comment » | Online Shopping, Privacy, Safeguarding, Safekeeping, Security Breach | Tagged: , , | Permalink
Posted by Brian Bowman

Rite Aid Fined $1 Million (U.S.) for Improperly Disposing Personal Information

August 9, 2010

Hogan Lovells LLP is reporting that Ride Aid has agreed to pay $1 million dollars (U.S.) to settle violations of U.S. health information privacy requirements. Interestingly, the FTC has ordered Rite Aid to cease misrepresenting its information security practices to customers and establish other personal information management securities safeguards.

As I have previously posted, we’ve seen million dollar privacy awards here in Canada but what’s interesting is the fact that the FTC took issue with an organization “misrepresenting” its privacy protection practices. It’s a good reminder that simply having a privacy policy doesn’t cut it. Businesses must ensure that internal policies and procedures exist and are enforced on an ongoing basis in order to live up to commitments made in privacy policies.

Leave a Comment » | Privacy | Tagged: , , | Permalink
Posted by Brian Bowman

A Conversation with Jennifer Stoddart, Privacy Commissioner of Canada

January 25, 2010

I’m very pleased to be able to post the following conversation with Jennifer Stoddart

Since becoming Canada’s Privacy Commissioner in 2003, Commissioner Stoddart has undoubtedly raised the value of privacy in a time when security, trade, technology and consumer expectations have created a volatile atmosphere for our personal information. I might add that she has accomplished this admirable feat with passion and professionalism.  As a result, Canadians have been exceptionally well-served.

Of course, I’d like to thank Commissioner Stoddart for agreeing to engage in this online Q & A conversation.  If you’d like to learn more about Jennifer Stoddart, the Office of the Privacy Commissioner of Canada (the “OPC”) or the issues raised in this conversation, I’d encourage you to visit the OPC’s website and blog.

Q. How did you get involved in the world of privacy?

A. Back in the spring of 2000, I happened to read an article in the New York Times Magazine by the noted American legal scholar Jeffrey Rosen. Prof. Rosen was explaining how personal privacy was being subtly eroded in the digital age. I was fascinated.

I was working at the Quebec Human Rights Commission at the time. The next week, I was asked to head up Quebec’s Access to Information and Privacy Commission, and that’s the field I’ve been in ever since.

Q. But it’s coming to an end.

A. Sadly. My seven-year term as Privacy Commissioner will wind up this year. On the plus side, though, I can look back with considerable pride at the progress we’ve made. The encroachments on privacy in this digital era really are staggering, but that doesn’t mean we’re letting them bowl us over.

Last year’s investigation into a complaint against Facebook was surely the most high-profile example of the kind of influence we have. And beyond that I would say that we’re making a meaningful difference, in countless other ways, every day of the year.

Q. What are the most rewarding aspects of being the Privacy Commissioner of Canada?

A. Certainly one of the most rewarding things for me is to know that our work matters, that it has a real and positive impact on the lives of Canadians.

As you know, it’s become fashionable in some circles to suggest that privacy is pretty much dead in this era of digital exhibitionism. But I think that’s totally wrong. And the best evidence for that was the worldwide response to our Facebook investigation.

Privacy may look different today than it did a generation – or even a decade – ago. But it remains an incredibly important and cherished value to Canadians. And to the extent that my Office can help protect that value, and advance privacy rights, I would say that is the most rewarding aspect of my job.

Q. What do you consider to be the greatest challenges for the Office of the Privacy Commissioner of Canada?

A. Our biggest challenges are the same that preoccupy data-protection authorities around the world: How to safeguard privacy rights in the face of so many rapidly changing technologies. You yourself have blogged about many of them – cloud computing, behavioural marketing, genetic technologies, to name just a few.

We’re seeing unimaginable quantities of data flash around the world, including to countries where data-protection laws are slim to non-existent. We’re also seeing technologies employed in the service of national security and law enforcement, but they’re guarded behind a wall of secrecy.

So the challenges are real, and they are huge.

Q. So how does an Office like yours keep up?

A. I guess the short answer is: By working smarter. We have zeroed in on four priority privacy challenges that are shaping and streamlining our work for the years ahead: information technology, genetic technology, national security and the protection of identity integrity.

We are re-engineering our internal processes to better handle the complaints and inquiries that come to our Office. We’re picking and choosing our privacy audits and our communications and public outreach efforts in order to maximize our impact. We’re ramping up our issuance of guidance, on the theory that an ounce of prevention outweighs a pound of cure. And we’re working with the global data-protection community, since so many of the challenges are international in scope.

But, most important of all, we’ve recently attracted an infusion of very bright, very knowledgeable – and in many cases young – new employees to key positions in our Office. They are really making a difference.

Q. If you could make a few recommendations for Canadian business leaders, what would you say?

A. First I’d thank them for having embraced PIPEDA, the Personal Information Protection and Electronic Documents Act as it came into force over the past nine years. When I look at the situation of our neighbours to the south, where there is no single law at the federal level to protect the personal information of consumers in a commercial setting, I am deeply gratified by the way things can work up here.

Beyond that, I would encourage business leaders to continue to consult the guidelines we issue on specific topics for the purpose of clarifying the responsibilities of organizations under PIPEDA. And we invite them to work with us to fill any other information gaps they may have encountered.

I also want to take this opportunity to mention that data breach notification will become mandatory – and I suspect that will happen sooner rather than later. So I would encourage business leaders to start giving some thought now to how they can bring their processes into compliance. 

Q. Do you have any “privacy-related” predictions for 2010?

A. I don’t think you need a crystal ball to conclude that national security will continue to dominate the privacy landscape in the year ahead. The controversy that erupted over Transport Canada’s deployment of millimetre-wave scanners at Canadian airports was just the first of the privacy-related issues that we can expect to be hearing about in 2010.

And stay tuned for more during and after the Vancouver Olympics. There, one of the big issues will revolve around the pervasive crowd surveillance measures, and what will happen with all the cameras and recordings after the flame is extinguished.

I’ll just mention two other issues of particular interest to our Office, because we will be consulting Canadians on them in the next few months. The first will focus on the tracking, profiling and targeting of consumers by marketers and other businesses, and we’ll be hosting consultation forums on that topic in Toronto in April and Montreal in May. Soon after, we’ll organize another forum to discuss the privacy implications of cloud computing.

10 Comments | Airport Security, Government, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Privacy Commissioner of Canada, Security | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

Mandatory privacy breach notification requirement inevitable

December 15, 2009

For years now, Ontario’s Personal Health Information Protection Act has contained provisions requiring health custodians to notify individuals if their personal health information is stolen, lost or accessed by unauthorized persons.  Until now, such mandatory privacy breach notification provisions have been limited to the sphere of health care in Ontario. That’s about to change.

The federal Personal Information Protection and Electronic Documents Act will likely contain mandatory privacy breach notification provisions in the near future. Since 2006, Special Committees at both the Federal and Provincial (Alberta and B.C.) levels have convened and generated a series of recommendations relating to breach notification.  For further information on these recommendations, see the final reports of the Federal , Alberta and B.C. committees.

The most important recommendation independently generated by each of the committees provides that organizations should be under a statutory breach notification duty.  On October 27, 2009, the initial step toward implementing this recommendation was taken in the Alberta Legislature with the first reading of Bill 54: Personal Information Protection Amendment Act, 2009.  The Alberta privacy breach notification provisions will soon come into force. British Columbia and the Feds are expected to follow suit and implement similar requirements in the near future. When that occurs, private sector organizations across Canada will be required by applicable law to notify affected individuals when privacy breaches occur.

The best advice is to make sure that privacy protection policies, procedures and training are implemented and enforced… now.

Leave a Comment » | Personal Information, PHIA, PIPEDA, Privacy, Privacy Breach | Tagged: , , , , | Permalink
Posted by Brian Bowman

Rogue employees pose risk to privacy compliance, corporate info

November 18, 2009

The U.K.’s Huffington Post is reporting that a rogue employee of a major mobile phone company has illegally sold millions of customer records to rival companies.  Apparently, customers’ personal information (including contract expiry dates) was sold to several rivals, which then used the material to cold-call customers to offer them an alternative deal.

As I’ve previously written, information really is the most valuable corporate asset. And for this reason, businesses of all sizes should take steps to protect corporate information regardless of whether it is stored online or off-line. Whether it’s customer or supplier lists, intellectual property or employees’ personal information, it’s information that needs safekeeping. 

This case should serve as a reminder that corporate safekeeping practices must include protecting data from rogue employees.

3 Comments | Data Protection, Due Diligence, Personal Information, PIPA, PIPEDA, Privacy, Privacy Breach, Safeguarding, Safekeeping, Security | Tagged: , , , , , , , , , , | Permalink
Posted by Brian Bowman

Laptop Encryption: “I don’t know what we have to do to drive this message home” says Commissioner

September 10, 2009

Laptop 11A summer incident involving sensitive personal information on stolen laptops has brought the issue of data protection once again into the crosshairs of Frank Work, the Alberta Information and Privacy Commissioner

In a press release, the Commissioner expressed shock and disappointment with the fact that the stolen laptops, which contained the personal health information of more 300,000 individuals, were not encrypted. “This is shocking for me…I don’t know what we have to do to drive this message home” said the Commissioner. “The standard in Alberta for storing personal or health information on portable devices is encryption. I can’t accept anything less.” The Alberta incident is strikingly similar to an incident that occurred in Ontario back in 2007.  The Ontario incident also involved the theft of a non-encrypted laptop containing personal health information.  A review of the incident by Ann Cavoukian, Ontario’s Information and Privacy Commissioner, produced an order for information of this type to be encrypted. 

These incidents demonstrate how easily sensitive data can be compromised when stored on laptops.  Encryption is a relatively easy way to improve the security of such information.  But, where do you start? There are numerous encryption options available.  Choices range from free open source encryption software like TrueCrypt to full information security consultations from companies that offer comprehensive data protection services like Seccuris. Regardless of which course you choose, one fact remains the same, encrypting laptops significantly improves security and that’s just smart business.

Leave a Comment » | Access to Information, Data Encryption, Data Protection, Laptops, Mobile devices, Personal Information, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, PSDs, Safeguarding, Safekeeping, Security, Security Breach, Smartphones, Technology | Tagged: , , , , , , , , , , , , , , | Permalink
Posted by Brian Bowman

Changes to PIPEDA may be coming soon

August 10, 2009

coming-soonHave you heard the saying “Just when you think you understand the situation, what you don’t understand is that the situation has changed”? If you think you understand The Personal Information Protection and Electronic Documents Act (“PIPEDA”), get ready… changes may be just around the corner. 

PIPEDA was introduced back in 2001. It requires the Canadian Government to review the law every five years.  To this end, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the “House of Commons Committee”) conducted its review and held public hearings from November 2006 to February 2007, where it heard from over 60 witnesses and considered over 30 submissions from a wide range of interested organizations and individuals. I had the pleasure of appearing before the House of Commons Committee to present the Canadian Bar Association’s National Privacy & Access Law Section’s submission, which you can read here. The House of Commons Committee issued its report to Parliament in May 2007 (which outlined 25 recommended changes to the law), to which the Canadian Government subsequently issued its response in October 2007. As part of the Canadian Government’s response, further public consultation on key issues was requested.  A link to the Office of the Privacy Commissioner’s reply to this request can be read here and the Canadian Bar Association’s response can be read here.

Changes to PIPEDA may include:

  • a mandatory breach notification regime that would require organizations to promptly notify affected individuals and to report major data breaches to the Privacy Commissioner of Canada; 
  • amendments to account for the unique circumstances regarding consent in employer/employee relationships; and
  • modifications to allow organizations to collect, use and disclose personal information as necessary for the conduct of business transactions, such as mergers and acquisitions.

The Industry Canada website targets 2009/10 for the implementation of changes resulting from this first PIPEDA review.  Yet, there is no definitive time frame, so stay tuned. Changes may be just around the corner.

1 Comment | Government, PIPEDA, Privacy, Privacy Breach, Privacy Commissioner, Security Breach | Tagged: , , , , , , , , , , | Permalink
Posted by Brian Bowman

Portable Storage Devices (PSDs): Lessons learned from Australia and New Zealand

July 13, 2009

PDAs 8The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs.  PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.

The studies found that government agencies often keep track of the PSDs they issue but seldom do audit checks on those devices. Policies regulating the proper usage are often developed, but rarely enforced. Hardware controls (i.e. sealing off ports and disabling cables) are used less frequently than software controls (i.e. blocking access to certain databases, monitoring access and information downloaded, etc.).

The majority of agencies (like most private sector businesses in Canada) also allow the use of private PSDs for work (i.e. a cell phone which is used for both personal and business purposes). The studies found that policies regarding the use of private PSDs were less common and much less enforceable than policies for agency-issued PSDs. Even though these studies only analyzed governmental use, the New Zealand Privacy Commissioner stated that she believed the findings were equally applicable to private sector businesses as well.

As I’ve commented in previous posts, there are privacy risks associated with the use of PSDs. First of all, there have been numerous incidents of stolen laptops and other PSDs that contained personal information. Secondly, devices such as USBs are easy to lose. Thirdly, disgruntled employees can easily use PSDs to steal personal information and other confidential corporate information from employers.  For example, an employee can simply click a button and download a company’s entire database in a matter of minutes. This is called “pod-slurping” and is especially a threat given the fact that many government agencies and private companies do not have the software capability to track when data has been downloaded to a PSD.

In order to avoid a privacy breach and resulting damage to your business, consider implementing some of the suggestions contained in a 2006 investigation by the Alberta Privacy Commissioner (which I would add should, of course, be implemented in accordance with your organization’s privacy policy and applicable law):

  1. Develop policies on proper usage of PSDs (whether company-issued or private) and train employees about these policies. Include detailed instructions about retention and deletion of personal information;
  2. Limit the amount of personal information that is stored on PSDs;
  3. Use encryption on all PSDs that store personal information. Password protection alone is not sufficient as there are free software programs available on the Internet which can crack passwords;
  4. Monitor the use of PSDs through software (i.e. install software that tracks data downloaded from a database onto a PSD);
  5. Instead of using PSDs, implement technologies that allow employees to access a database through a secure network;
  6. With respect to laptop thefts, consider installing tracking software that can trace the location of a lost laptop. Also consider installing a “kill switch” so that the computer will self-destruct if an individual tries to gain unauthorized access; and
  7. Stress to employees the need to use appropriate safeguards at all times, even when at home.

Leave a Comment » | Access to Information, Privacy, PSDs, Safekeeping, Security, Technology | Tagged: , , , , , , , | Permalink
Posted by Brian Bowman

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 73 other followers