On the Brink: Privacy-Proof Your Organization or Risk $100,000 Fines

Julie King

Properly proofing your organization against potential privacy breaches is probably one of the last things you want to focus on in your organization as a leader. Yet with the federal government poised to pass amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), this could soon become a critical issue.

Should Canada’s “Digital Privacy Act” pass into law, organizations will face $100,000 in fines for each data breach where they fail to meet notification requirements.

That’s $100,000 for each individual not told of a data breach when organizations deliberately fail to report a breach and $100,000 per incident for organizations that deliberately try to hide a data breach by not keeping or destroying relevant records.

What constitutes a privacy breach?

To answer this question we must first recognize that information has four sensitivity levels: public, sensitive, confidential and secret. When we accept information from an individual that is not public, we become its custodian. In doing so we are obliged to protect the information.

A privacy breach occurs when sensitive, confidential or secret information is either viewed, stolen or used by a person who is not authorized to access that information. Computer hacking is one example that could lead to a privacy breach, but someone watching you type in a password or viewing confidential information over your shoulder could also result in a privacy breach.

The draft legislation requires organizations to report a breach to the Privacy Commissioner when there is “… any breach of security safeguards information under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.”

To err is human…

Having worked with many associations and businesses, should the proposed changes become law they will pose a serious risk for many organizations, because far too often people expose information without even realizing that they have done so. And as we have seen so often with government public relations disasters, there seems to be a natural tendency to try to cover up the mistake.

Here is one scary example: Last year a security specialist I know got a call from a business professional who had his customer database stolen using a known vulnerability in the software. The hacker, who had downloaded the data and then encrypted the files on the professional’s hard drive so they could not be accessed, was trying to extort $5000 to restore the files.

This breach was not the professional’s fault. He had purchased software that had a vulnerability that became known to a hacker and the hacker leveraged it. Yet as the data custodian, it was up to the professional to notify affected customers that their data had been exposed and here he failed. After reviewing the costs and options with the security expert, he opted to do nothing and start over with a new database. There was no notification.

Under the current law, little could be done to force notification. But should the changes to PIPEDA become law, it would be a very different story, as in not notifying customers the professional would face fines of $100,000 for every customer in his database.

To notify is divine

More recently, in April of this year the Canada Revenue Agency (CRA) revealed that almost 1000 social insurance numbers had been stolen through the OpenSSL server vulnerability dubbed HeartBleed. The CRA immediately took proper notification steps, deciding to send all affected taxpayers a notice using registered mail. Even though the breach was not the CRA’s fault and would be costly to manage, they took responsibility for breach notification. This situation would not lead to fines.

How privacy-aware are you and your colleagues?

In my experience, most privacy breaches or potential breaches are due to the ignorance of naiveté of an end-user. This happens when organizations either don’t have the right combination of technology, systems and training to help anyone with access to sensitive information ensure that it is protected. It also happens when people feel rushed to complete a task and do not pause to question whether the way they are exchanging data is secure.

In one incident I recall well from several years ago, an executive director of an association sent me his personal credit card information in an unencrypted email. This was clearly accidental and demonstrates how many people, even organization leaders, can be unaware of when information is confidential and needs special handling.

Just how privacy-aware are you? Here’s a quick test.

Answer yes or no to the following questions to indicate whether the action could result in a privacy breach by someone who either works, volunteers or contracts to the organization.

Action Possible Breach?
Sending an unencrypted file, like an excel spreadsheet, that has sensitive information in an unencrypted email. Yes No
Giving untrained staff access to sensitive information. Yes No
Discussing personal information about someone with an individual who does not need to know this information, even another staff member. Yes No
Writing your password that provides access to confidential documents on your computer on a sticky note posted on your monitor or desk. Yes No
Sending sensitive information to a vendor without knowing how that person will handle the information. Yes No
Uploading a sensitive file to a public folder in the members-only area. Yes No
Losing a smartphone, tablet or laptop with personal information about people. Yes No
Accepting credit cards online without using SSL (https) at the data collection point. Yes No
Faxing sensitive member information to a wrong number. Yes No

As you have probably guessed, every example on this list could lead to a privacy breach or in many cases, be considered a breach even if you are not sure that information was exposed.

The solution for organizations who want to mitigate their data breach risks is clear: Leadership needs to ensure that the technology, systems and training needed to protect private information are in place while also being prepared for extreme situations that could still result in a breach, like the recent discovery of the HeartBleed server vulnerability.

Byline: Julie King is the President and CEO of Biz-Zone Internet Group Inc., a web technology company that provides association management and content management software. Both Julie and Biz-Zone are Privacy by Design ambassadors. Biz-Zone’s recently completely redesigned its association management software, Association DNA, to be the world’s first Privacy by Design AMS.