The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs. PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.
The studies found that government agencies often keep track of the PSDs they issue but seldom do audit checks on those devices. Policies regulating the proper usage are often developed, but rarely enforced. Hardware controls (i.e. sealing off ports and disabling cables) are used less frequently than software controls (i.e. blocking access to certain databases, monitoring access and information downloaded, etc.).
The majority of agencies (like most private sector businesses in Canada) also allow the use of private PSDs for work (i.e. a cell phone which is used for both personal and business purposes). The studies found that policies regarding the use of private PSDs were less common and much less enforceable than policies for agency-issued PSDs. Even though these studies only analyzed governmental use, the New Zealand Privacy Commissioner stated that she believed the findings were equally applicable to private sector businesses as well.
As I’ve commented in previous posts, there are privacy risks associated with the use of PSDs. First of all, there have been numerous incidents of stolen laptops and other PSDs that contained personal information. Secondly, devices such as USBs are easy to lose. Thirdly, disgruntled employees can easily use PSDs to steal personal information and other confidential corporate information from employers. For example, an employee can simply click a button and download a company’s entire database in a matter of minutes. This is called “pod-slurping” and is especially a threat given the fact that many government agencies and private companies do not have the software capability to track when data has been downloaded to a PSD.
In order to avoid a privacy breach and resulting damage to your business, consider implementing some of the suggestions contained in a 2006 investigation by the Alberta Privacy Commissioner (which I would add should, of course, be implemented in accordance with your organization’s privacy policy and applicable law):
Develop policies on proper usage of PSDs (whether company-issued or private) and train employees about these policies. Include detailed instructions about retention and deletion of personal information;
Limit the amount of personal information that is stored on PSDs;
Use encryption on all PSDs that store personal information. Password protection alone is not sufficient as there are free software programs available on the Internet which can crack passwords;
Monitor the use of PSDs through software (i.e. install software that tracks data downloaded from a database onto a PSD);
Instead of using PSDs, implement technologies that allow employees to access a database through a secure network;
With respect to laptop thefts, consider installing tracking software that can trace the location of a lost laptop. Also consider installing a “kill switch” so that the computer will self-destruct if an individual tries to gain unauthorized access; and
Stress to employees the need to use appropriate safeguards at all times, even when at home.
Recently, an interesting article in the Globe and Mail dealt with the issue of smartphone etiquette. Business professionals fidgeting with their BlackBerrys and iPhones in meetings, walking through airports with eyes glued to their small glowing screens and operating their devices in restrooms may seem unrealistic at first blush, but is it really? The reality is that smartphones have permeated the business world. They are everywhere, they are powerful and have the potential to be extremely damaging.
Breaches of confidential corporate data and personal information are nothing new to the business world, but smartphones have brought a new dimension to the problem. Smartphones are starting to make appearances in Canadian court cases in a supporting role, but it won’t be long before they are squarely in the spotlight. The latest iPhone model has up to 32GB of memory while BlackBerrys can store vast amounts of data on memory cards. The equivalent of entire filing cabinets can now be carried around conveniently in your shirt pocket. This reality has increased the risk for massive privacy breaches in the blink of an eye.
The big question is how involved should employers be in regulating and monitoring their employees use of smartphones? All encompassing monitoring of employee smartphone use is a touchy area, but the permeation of smartphones in today’s corporate world and the corresponding risks to businesses necessitates (at the very least) that relevant guidelines concerning their use in the workplace should be implemented by employers. All it takes to damage a business is for one employee to misplace their smartphone without having first activated their security settings.
I was delighted to learn that IP Osgoode has named this blog the “Pick of the Week”!
IP Osgoode at Osgood Hall Law School in Toronto is a new, independent and authoritative voice which explores legal governance issues at the intersection of intellectual property (IP) and technology. If you haven’t yet visited the IP Osgoode website, I would encourage you to do so as it contains some great content.
It’s been a thrilling week for my colleagues at Pitblado LLP as it was announced earlier this week that we were to be the 1st Canadian law firm to be a guest blogger on the must-read slaw.ca. Yours truly, three of my colleagues from our firm’s Information & Ideas Practice Group as well as our firm’s librarian each contributed one post a day this week to slaw.ca on cutting edge legal topics. Here’s what we covered…
On Monday, I posted “What Would Happen If One of your Employees Posted a Video of an Irate Customer on YouTube?”, which I cross posted on my blog earlier this week. The post highlights a YouTube video of an irrate customer as a reminder to Canadian businesses of the powers of new technologies such as YouTube and the corresponding need to protect against the dissemination of this type of video through employee privacy training and the adoption and enforcement of privacy and procedures.
On Tuesday, Carol Lynn Schafer posted “Do TOS Have the Final Word on our Fundamental Rights and Freedoms?”, which discusses the controversial effects of Terms of Service on popular websites such as Facebook and Twitter. As Carol Lynn notes, Terms of Service should be drafted with the bigger picture in mind and can no longer be seen as standard agreements that can be treated with a one size fits all approach.
On Wednesday, Jolin Spencer posted “Whose Property Is It, Anyway?”, which discusses the questions that come into play when employees leave their positions. For example, what can an employee take, and what must they leave, when they vacate their position? As Jolin points out, no business wants its intellectual property assets walking out the door with a former employee.
On Thursday, our firm’s librarian, Karen Sawatsky, posted “Legal Research Bootcamp – Winnipeg Style”, which discusses her experience collaborating with members of the Manitoba Bar Association and the Law Society of Manitoba to create a CLE for articling students on legal research. The Legal Research Bootcamp is a first for Manitoba students, and aims to bridge the gap between when students start their articles and when CPLED begins in the fall.
Privacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance.I certainly know from my practice that the costs to businesses can be quite significant when having to deal with serious privacy complaints.These costs can include settlements, legal fees and lost productivity.Obviously, it’s better to be proactive and reduce the chances of having to deal with privacy complaints.That’s where regular staff privacy training comes in! Businesses really should conduct staff privacy training on a regular basis – in my view, at least on an annual basis.
In a recent speech to the 10th Annual Privacy and Security Conference in Victoria, B.C., Privacy Commissioner Jennifer Stoddart commented, “Polling for my Office in 2007 found that only a third of all businesses reported having trained staff about their responsibilities under Canada’s privacy laws. This is a huge concern! We recently conducted an analysis of 86 breaches reported to my Office and found that employee awareness and training was the most important contributing factor. It was an issue in more than half of the spills we examined! We found that very basic mistakes – human errors – often lead to breaches. Breaches are caused mostly by employee misconduct and human error, not technological weaknesses.”The full speech is entitled, “A Privacy Check Up For Canadians: Is the Glass Half Empty or Half Full?” and is definitely worth reading.
My December 3, 2008 column in the Winnipeg Free Press details the problems businesses can get in to when they keep every single piece of information on their customers, even when they no longer need it.
This blog provides practical assistance to Canadian businesses so they can better deal with issues related to privacy, access to information and social media law. I hope you subscribe to this blog via RSS (below) or via e-mail (below) so that you can receive timely updates to new posts. Thanks, Brian
This blog is presented for informational purposes only. Content does not constitute legal advice or solicitation and does not create solicitor-client relationship. Views expressed are solely the author's and should not be attributed to any other party, including Pitblado LLP or its clients. The author makes no guarantees regarding the accuracy or adequacy of the information contained herein or linked to via this blog. The author is not able to provide free legal advice. If you are seeking advice on specific matters, please contact Brian Bowman at (204) 956.3520 or bowman@pitblado.com, but please be aware that any unsolicited information sent to the author cannot be considered to be solicitor-client privileged. Comments published on this blog do not reflect the views of Brian Bowman, Pitblado LLP or its clients.
The Australian and New Zealand Privacy Commissioners recently released studies examining the use of Portable Storage Devices (PSDs) by their governmental agencies. The aim was to examine the risks to personal information posed by the use of PSDs. PSDs are small, convenient devices that are capable of storing large amounts of information including laptops, cell phones, USBs, hard drives and iPods.
Posted by Brian Bowman 
Recently, an interesting 
I was delighted to learn that 
Privacy professionals will know first hand the importance of conducting regular staff privacy training, which can mitigate customer privacy complaints and (as a result) the overall costs of privacy compliance.
Data “packrats” failing customers: Companies need policies on retention
Businesses must take steps to prevent I.D. theft
Identity theft growing rapidly
