#CyberFLASH: Big Data, Big Risk? Privacy And Security Tips For Fintech Companies

smallbizadv-secure00sr1Many fintech companies collect and process vast amounts of data in order to provide financial services quickly and inexpensively. Much of this data is highly sensitive personal information such as date of birth, social insurance number, bank account details, online banking credentials and credit score. The sheer volume of the information increases its sensitivity because over time a fintech company may generate a very detailed and complete picture of an individual. As a result, data security and compliance with applicable privacy legislation are of critical importance. Here are four privacy and security tips for fintech companies.

1. Build privacy protective controls and security safeguards into the technology as it is developed.

For a young fintech company, a data breach could have devastating impacts on customer trust and investor confidence, so most fintech companies are taking privacy and data security seriously. Fintech companies may even have an advantage over existing financial services providers in this regard, since they can build privacy protective controls and security safeguards into the technology as it is developed, rather than having to fit them into existing processes and systems retroactively.

2. Develop and operationalize robust information governance programs.

Because of the rapid pace at which fintech is developed and commercialized, fintech companies may be pushed to start collecting and processing personal information before their privacy and security frameworks are fully developed. This creates unnecessary risk from a privacy and security perspective.

During the Office of the Privacy Commissioner of Canada’s (OPC) investigation into the Ashley Madison data breach, Avid Life Media Inc. (ALM), operator of the Ashley Madison website, admitted that it had gone through a rapid period of growth leading up to the time of the data breach and that it was, at that time, in the process of documenting its security procedures and improving its information security posture.

Read more here

#CyberFLASH: Data lakes mean a plunge into the security pool

storageMany organizations today are convinced that collecting and hoarding data is their future: Without big data, how can they get to know their customers (and potential customers).

So as the pool of data grows bigger, the need for a way to store it becomes bigger. Often firms have silos of data, but how can that be leveraged? Hence the data lake, a large store of raw data — often built around Hadoop or cloud storage — from which analysts can dip in and create data marts/warehouses. In theory there’s a saving because data doesn’t have to be transformed into familiar formats an organization uses.

But as an article on CSO Online reminds infosec pros, data lakes need securing. After all, what could be a sweeter target than all the valuable data in one place?

“The appeal of increased agility, reduced costs and removal of silos cause many organizations to jump head first into the data lake and ignore basic information governance best practices at their own peril,” Jonathan Steenland, principal at Zyston CISO Advisory Services, is quoted as saying.

That means the standard security strategies must be top of mind. But the article quotes a Gartner analyst saying many of the current data lake technologies on the market don’t have fine-grained security controls. Until then access management, encryption, and tracking of data throughout its lifecycle in the enterprise have to be the priorities of the CISO. The protection becomes even more sensitive if the data lake is in the cloud.

Read more here

#CyberFLASH: Brock professor receives grant to find what happens to your data

hacker-stolen-passwordsCheck the box to indicate that you have read and agree to the terms of service. This type of notice appears at the bottom of sign-up pages for nearly every website, application, or game many of us use on a daily basis. The question is, does anyone actually do it? We all check the box, but how many people even skim the terms of service or understand what they really mean?

Brock University Adjunct Professor of Sociology Natasha Tusikov has been awarded a grant from the office of the Privacy Commissioner of Canada with the aim of discovering just what big internet companies do with information gathered online and what it means for the online privacy of Canadians. What information do they gather, what do they do with it, and how legal is it? That is not always clear.

Tusikov’s research will cover mostly the big US internet firms: Microsoft, Google, Yahoo, eBay and PayPal, along with the major payment companies, such as Visa and MasterCard.
Internet firms, “act as global regulators, controlling different types of content and activity,” says Tusikov. eBay, for example, attempts to control the sale of counterfeit goods in agreement with major retailers. Internet service providers attempt to stop their customers from downloading copies of movies, music and software in agreement with the producers of those products. The problem with most of these agreements, though, is they are non-legally binding.

“This is a pretty new and interesting area of regulation,” said Tusikov. “Non-legally binding means existing outside of law, existing outside of judicial orders, so essentially these are handshake agreements between big companies… the reasons that some of these rights holders, like Nike and the US government, wanted to go in this direction is because they felt legislation wasn’t working.”

Read more here

#CyberFLASH: How much do we really know about the Canadian intelligence community?

csis.jpg.size.xxlarge.letterboxLast year American whistle-blower Edward Snowden proclaimed that Canadian intelligence agencies have the “weakest oversight” in the Western world and compared the Canadian government’s Bill C-51 to George W. Bush’s post-9-11 U.S. Patriot Act.

Canada became a surveillance state under the Stephen Harper Conservatives. In 2014, for example, it came to light that the Government Operations Centre was monitoring residents of Newfoundland and Labrador, including Indigenous Peoples, residents of the Island’s west coast who opposed fracking, and fishermen who were protesting shrimp quotas. This ongoing problem is further complicated by multiple transnational intelligence sharing agreements, in place since World War II, that remain largely unknown to the general public.

Indeed, the rise of the surveillance state is a global phenomenon that cannot be separated from the rise of the internet. But in Canada, because of the lack of any credible oversight, it has played out in a very specific way. This has everything to do with what the Canadian public knows—and more importantly, does not know—about Canadian intelligence agencies.

Canada’s new and highly invasive so-called anti-terror legislation came into force last year with the support of then-Opposition Leader Justin Trudeau and the Liberal caucus. The Trudeau Liberals knew that in order to win the election they would need to undo—or at least promise to undo—much of the damage done by their predecessors. They would have to address the alienation felt by Canadians from having a government that used national security as an excuse to trade away its citizens’ freedom and civil liberties.

Unfortunately, they have yet to repeal or even reform Bill C-51, and recent terrorist attacks in Europe, the U.S, and here at home in Canada have provided the perfect backdrop against which to further delay the process. On August 10, for example Aaron Driver, a 24-year-old Canadian citizen who was allegedly plotting a terrorist attack in the southern Ontario town of Strathroy, died in a confrontation with police who were following up on a tip from the FBI.

Read more here

#CyberFLASH: Opinion: Big Data, surveillance and Privacy 2.0 after Snowden – Is B.C. on the right track?

sweden-rights-espionage-diplomacy-computers-filesEdward Snowden’s analysis of the largest leak yet — the Panama papers — did what Shane Pointe of the Musqueam Nation intended: lift up the heart and minds of very brave truthtellers. While Snowden’s public conversation terrified many, he also pointed the way to hope in the era of Big Data and the Internet of Things.

When talking about Big Data and Surveillance, focus on the information and knowledge that comes from the data, and the power matrix in which that unfolds. That is the real message from the Snowden event held in Vancouver last Tuesday. Value can be positive or negative: information, knowledge and understanding can be used for good or bad purposes. To make Big Data constructive, we need more than just the technological advances and industrial developments — the key component is keeping sight of the rights to human privacy and personal security.

Advances in Big Data offer huge potential benefits and risks when we bring different data resources together. New machine learning algorithms with massive computational resources are incredible, but they need to be mediated by people who know how to ethically use the new technology and how to derive value from it — and who, as Snowden says, know when to blow the whistle when the public interest is abused.

B.C. is at the forefront of this Big Data wave. At SFU, we have a competitive advantage with our Big Data and Data Science training programs, plus we work with other institutions on other research and training initiatives such as those provided by the Vancouver Institute for Visual Analytics. The Metro Vancouver corporate sector is equally invested. A growing number of companies located in B.C. such as Tableau, Amazon, Global Relay, Phemi, SImba, and Splunk provide cutting edge Big Data-related products and services.

Read more here

#CyberFLASH: THE INTERNET OF THINGS – INCREASED CONNECTIVITY IN CANADA

Internet-300x300On Tuesday, Nov. 24, the McGill Intellectual Property & Information Technology Policy Club (IPITPOL) hosted a panel to discuss aspects of privacy and governance concerning the internet of things. The Internet of Things is a term referring to a continuously expanding network of physical devices with network connectivity, and the ability to collect and transmit this data through an integrated network widely known as ‘the cloud.’

The panel featured Sunny Handa, a professor at McGill’s Faculty of Law and co-head of the Information Technology Group and India’s Working Group at Blake, Cassels, and Graydon LLP. Richard Janda, a professor at McGill’s Faculty of Law, and Fenwick McKelvey an assistant professor in the Department of Communication Studies at Concordia University, were also members of the panel.

During the discussion, Handa drew attention to the accessibility of information. A data breach in the cloud can provide companies with consumer information, which enables companies to draw pre-concluded notions about a consumer’s health and persona and can affect things such as life insurance and career opportunities.

“The internet of things is really about big data collection,” said Handa. “Some of you may have this little device [… and] it’s monitoring your heart rate, it’s monitoring your steps, it’s monitoring everything, and […] it gets uploaded into a facility in the cloud that may not be [secure], and if it’s not, then that data goes wherever it shouldn’t go. Then, decisions can be made.”

Read more here

#CyberFLASH: Researchers to study big data collection used on Canadians

91910728A group of prominent researchers has signed on to study what information is being collected about Canadians and what it’s being used for, saying the public remains largely in the dark on the mass accumulation of personal data.

The five-year project, which will be led by the Surveillance Studies Centre at Queen’s University in Kingston, Ont., will examine the use of what’s known as “big data.”

The B.C. Civil Liberties Association, University of Victoria and B.C.’s privacy commissioner are among the organizations that have joined the project as partners.

Micheal Vonn, the civil liberties association’s policy director, said Tuesday that big data consists of massive, complex data sets. The decisions made from such data, she said, can adversely affect individual rights and threaten privacy – though much about the collection of the data and its use is unknown.

“Big-data surveillance is one of the leading human-rights issues of the 21st century,” Ms. Vonn said in an interview.

Among other things, she said, the project will examine how organizations track individuals’ activities and social media use.

“We have one stream that is devoted to looking at big data in the context of national security. Another stream is devoted to what’s called marketing, but will also include things that many people don’t see in marketing, like … political parties’ databases and how they go about targeting the electorate,” she said.

Read more here

#CyberFLASH: Using Big Data for targeted advertising could violate Canadian privacy law

 

BCE Beats Profit Estimates as Smartphone Subscribers GainOn April 7, 2015, the Privacy Commissioner of Canada ruled in its Report of Findings #2015-001 against Bell, one of Canada’s largest telecommunications companies. The Commissioner ruled Bell’s targeted advertising program violated federal privacy law, the Personal Information Protection and Electronic Documents Act(PIPEDA), since Bell did not obtain adequate consents for facilitating the delivery of third party behaviourally targeted ads to its customers. Following the release of the Commissioner’s Findings, Bell decided to withdraw its Relevant Ads Program and delete all existing customer profiles related to the program. It is important to note the decision did not take into account whether Bell was in compliance with the Telecommunications Act(Canada), and this issue is currently before the Canadian Radio-television and Telecommunications Commission (CRTC).

The purpose of PIPEDA is to establish rules to govern the collection, use and disclosure of personal information in a manner that recognizes: (a) the right of privacy of individuals with respect to their personal information; and (b) the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. In making its analysis, the Commissioner examined the sensitivity of the information and the reasonable expectations of Bell’s customers.

The decision establishes “Big Data” as sensitive personal information. Big Data is a broad term used to describe vast amounts of data, collected over time or from multiple sources. Using data analytics or other forms of computational interpretation, Big Data may reveal human preferences, behavior and patterns. Principle 4.3.6 of PIPEDA provides express consent is the appropriate form of consent when personal information is likely to be considered sensitive. The Commissioner found the breadth of information gathered from multiple sources would render the information, when compiled, more sensitive than the individual elements of that information. These multiple sources included:

  • Internet, television and telephone network usage information (such as websites visited and apps used on a mobile device);
  • demographic information (such as billing address, age, gender, language, credit score, average revenue, payment patterns, plan type and mobile device information); and
  • information generated or inferred (e.g. customer interest categories).

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.