#CyberFLASH: On privacy and cyber-security, plan today or fail tomorrow

Local Input~ FOR NATIONAL POST USE ONLY - NO POSTMEDIA - Hacker using laptop. Lots of digits on the computer screen. Credit fotolia.The story has become all too common for businesses today: privacy breaches create anxiety for consumers, customers, employees and investors, and shatter corporate reputations. Some of the largest companies in the world have suffered data breaches: eBay, Home Depot, British Airways, Sony, Goldcorp and others. But the attacks have also struck small- and medium-sized enterprises, governments and professional associations, with devastating consequences.

A recent survey from The Global State of Information Security noted a 38-per-cent increase in cyber-security incidents detected by firms in 2015 over 2014. Best estimates are that cybercrime cost the global economy $445 billion in 2014. The value is expected to rise, even as firms move to protect themselves and their customers. The reason is simple: it is a target-rich environment for those with the criminal intent and the capacity to exploit inadequate cyber-security.

Today, Canadians are more technologically engaged and literate than ever before, and they are paying attention: 89 per cent of Canadians will avoid companies that do not protect their privacy and 74 per cent have limited their online activity due to privacy concerns. Perhaps the most compelling evidence of how seriously the public takes the issue is the fact that 64 per cent think that online privacy is a human right. The lesson for businesses of all sizes and aspirations is clear: when two-thirds of your customers think that the handling of their credit card numbers, health information, financial information, personal identity and contact information is a human rights obligation, businesses must pay attention and have a plan.

Read more here

#CyberFLASH: Canada’s privacy law ‘ill-suited’ to 21st century, watchdog warns Trudeau

1297658073661_ORIGINALOTTAWA—Canada’s privacy watchdog has warned Prime Minister Justin Trudeau that federal privacy protections are “ill-suited” for the 21st century.

In a letter obtained by the Star, Privacy Commissioner Daniel Therrien told Trudeau the rules around government’s handling of private information has not kept up with technological advances or society’s expectations.

The Privacy Act, which governs how the federal government uses Canadians’ personal information, has not been substantially changed since it was introduced in 1983.

When the law was introduced, most government business was conducted on paper. Now, government departments and agencies increasingly hold vast sums of information electronically — bringing a new set of issues, challenges, and vulnerabilities.

“One of the biggest changes in the privacy realm is technology, Canadians’ relationship to it, and the desires by government and industry to harness its power for various purposes,” Therrien wrote in a Nov. 10 letter, obtained under access to information law.

“In this complex, new environment, modernization of our privacy framework and the pressing need for greater transparency around how technology is used is critical to maintaining citizens’ trust in government and the digital economy.”

The Star requested an interview with Therrien but he was unavailable.

This isn’t the first time the issue has been raised with Parliamentarians. In a March 22 letter to the House of Commons committee on privacy issues, Therrien provided 16 recommendations to modernize the Privacy Act — and warned that the legislation is becoming increasingly irrelevant.

Read more here

#CyberFLASH: CRTC joins global anti-spam drive

crtc_logoCanada’s telecom regulator is teaming up with enforcement agencies outside the country to beef up the fight against electronic spam.

The Canadian Radio-television and Telecommunications Commission says it has signed an agreement with 10 agencies in eight countries, with the goal of better enforcing anti-spam laws.

Canada’s own law, which came into effect nearly two years ago, has resulted in a significant drop in digital spam originating in Canada, according to email marketing firm Cyberimpact.

And while the law has resulted in some big fines, including one last year for $1.1 million against Quebec-based Compu-Finder, legal experts have questioned whether Canadian authorities might have difficulty enforcing the law against companies in foreign jurisdictions.

But CRTC chairman Jean-Pierre Blais says the agreement sends a strong message that the international enforcement community intends to stop spammers from sending annoying — and sometimes dangerous — electronic spam.

Signatories include Canada’s privacy commissioner, the U.S. Federal Trade Commission and Federal Communications Commission, communications and consumer authorities in Australia, the Netherlands and the United Kingdom, and agencies in Korea, New Zealand and South Africa.

Read more here

#CyberFLASH: Why the Privacy Commissioner Doesn’t Need Legal Reforms To Require Transparency Reports

9886754835_89211c18e7_b-780x350Privacy Commissioner of Canada Daniel Therrien was in the news this week as he expressed concern with the evasiveness of Canada’s spy agencies and the ongoing refusal of some of Canada’s telecom companies (namely Bell) to issue transparency reports. I’ll have more to say about privacy and government agencies in my technology law column next week, but on the issue of telecom transparency reports, I believe that Therrien already has the necessary legal mandate to act now. Therrien urged all telecom companies to release transparency reports, noting:

“I think Canadians are telling us, first of all, that they would much prefer that data be shared from telcos to government only with a warrant, with a court authorization. But when that does not happen, Canadians expect that there be transparency…frankly, if there’s not more progress I will continue to call for legislation on this issue.”

I wrote about why Canada’s telecom transparency reporting still falls short late last month, emphasizing that a non-binding approach to transparency reporting has been a failure. I indicated that there is a strong argument that the law already requires companies to issue transparency reports as part of their obligation to be accountable and open under PIPEDA. Principle 4.1.4(d) establishes the following requirement under the law:

Organizations shall implement policies and practices to give effect to the [privacy] principles, including:
(d) developing information to explain the organization’s policies and procedures

Moreover, Principle 4.8.1 states that:

Organizations shall be open about their policies and practices with respect to the management of personal information.

To date, discussion of these provisions has focused on the need for publicly-available privacy policies. Yet there is no reason to think that they are limited merely to those policies. Ensuring that an organization is fully accountable for the information it collects, uses, and discloses should include reports that explain policies, procedures, and practices around information disclosures to law enforcement.

Read more here

#CyberFLASH: Canada Pits Constitution Against Right to Be Forgotten

1297658073661_ORIGINALThe right to be forgotten may never make the leap across the Atlantic from the European Union to Canada.

Our neighbors to the north are willing to talk about reputational privacy and the right to be forgotten—the concept that individuals should be able to seek removal of online links to their personal data to protect their reputation. But any attempt to significantly regulate Internet speech will run smack-dab into the brick wall established by the freedom of expression guarantee in the Canadian Charter of Rights and Freedoms, privacy professionals told Bloomberg BNA.

Canadians may not be fully in synch with the U.S. populace’s general aversion to restrictions on personal liberty, but neither do they have the Europeans citizenry’s willingness to accept a strong national governance approach to privacy.

The back-and-forth between privacy and free speech rights is highlighted by the Officer of the Privacy Commissioner’s approach to the issue. In 2015, the privacy office named reputational privacy as on of it’s top priorities. To follow up, the privacy office conducted a national consultation regarding online reputational privacy. In January, the office published a discussion paper on reputational privacy.

Privacy Commissioner Daniel Therrien isn’t ready to publicly discuss the consultation’s results or how he will respond, as the process of reviewing submissions is still underway, agency spokesman Tobi Cohen said.

Read more here

#CyberFLASH: Privacy watchdog wants to see new office enforcement muscle

1297658073661_ORIGINALCanada’s privacy watchdog says “the time has come” to change his role under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) from that of an ombudsman, who can only make non-binding recommendations, to a regulator with authority to make binding orders, and even impose fines on recalcitrant organizations.

In an exclusive interview, federal Privacy Commissioner Daniel Therrien contrasted his limited enforcement powers (“naming and shaming” privacy transgressors and, on occasion, taking them to court) with those of EU and U.S. regulators.

“In many other jurisdictions, privacy regulators have order-making powers and they can impose fines for organizations that violate privacy laws,” Therrien said. “We’ve done well in Canada without these powers, but we think that the time has come to align our laws to those of other western democracies where privacy regulators do have order-making and fine powers. We’re dealing with organizations that are extremely wealthy. To recommend that they change a practice has some effect. But to be able to make an order, and to impose fines, when warranted, I think is necessary.”

The commissioner did not disclose what level of fines he considers appropriate (“we’re not there yet,” he said).

But his endorsement of adding beefed-up enforcement powers to the federal privacy regime — which he considers “an important enhancement” and “not a revolution” — will spark debate.

“I would be quite against…giving the commissioner order-making powers,” privacy law expert David Fraser of McInnes Cooper in Halifax told The Lawyers Weekly. “That would be a revolutionary thing in Canadian privacy law, and actually would require, I think, kind of essentially burning [the office of the privacy commissioner] to the ground and starting again because…if it’s going to have the ability to levy fines, or anything else like that, you have to build in all the procedural fairness requirements. You can’t have a kind of ‘judge-jury-executioner-prosecutor’ all in one office and all in one person, particularly in light of the advocacy-for-privacy role that the commissioner takes.”

Fraser called PIPEDA, as it stands, “a made-in-Canada solution that, in fact, is a complete solution. You have a privacy commissioner whose job…not to an insignificant degree, is framed as a champion of privacy, [who] investigates. The objective is principally to resolve [privacy complaints] and because the commissioner isn’t the cops, and isn’t the judge, at least in my experience, the businesses are inclined to sit down at the table with the commissioner and the commissioner’s investigators, lay all their cards on the table, and look towards building a solution, rather than something that is more adversarial. And so in fact I think all that goodwill would pretty well go out the window, and people would kind of ‘lawyer-up’ in the classic sense. It would get very defensive and it would get very adversarial.”

Read more here

#CyberFLASH: Should privacy by design be part of Canadian law?

gavel-stock-image-2Ann Cavoukian has long touted the benefits of “data privacy by design” and now the European Union has passed an overarching privacy law called the General Data Protection Regulation, which embeds that requirement.

The regulation comes into effect in 2018 in the EU. What is unusual about the regulation is that it applies to all EU member countries, replacing the separate privacy laws of each of its 28 countries.

Privacy by design was first developed by Cavoukian in the 1990s when she was privacy commissioner of Ontario. It is an approach to protecting privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures.

“That in itself is huge,” said Cavoukian, now the executive director of the Privacy and Big Data Institute at Ryerson University.

She was speaking on an International Association of Privacy Professionals panel last week in Toronto called “Privacy by design: How I learned to stop worrying and love disruptive technology.”

Even though privacy by design has been embraced globally for many years, the EU law is the first time it’s appearing in a statute.

Cavoukian noted that Canada’s privacy commissioner, Daniel Therrien, is also now asking if privacy by design should be embedded into Canadian law.

Read more here

#CyberFLASH: Canada examines health devices during 2016 “Internet of Things” global privacy sweep

1297658073661_ORIGINALGATINEAU, QC — The explosion of Internet-connected everyday objects and privacy concerns surrounding our increasingly wired world have prompted the Global Privacy Enforcement Network to focus on the Internet of Things during the 2016 global privacy Sweep.

This year’s Sweep will take place from April 11th to 15th, 2016 and will involve a number of data protection authorities from around the world, including the Office of the Privacy Commissioner of Canada (OPC), which will focus its efforts on health devices.

“Connected devices, such as fitness trackers, smart scales, sleep monitors and other health related products, are capable of capturing some of our most intimate data,” Commissioner Daniel Therrien says.

“Given the sensitivity of the information, it is imperative that the companies behind such devices are transparent about what they collect, how the information will be used and with whom the data will be shared. I’m pleased the Sweep will focus on this important area under the Internet of Things banner.”

As part of this year’s initiative, authorities will focus on accountability. Sweep participants will look at the privacy communications and practices related to Internet connected devices, but each has the flexibility to choose a different category of products and a preferred approach. While some authorities have opted to sweep wearables, health-related devices or appliances, others will be looking at very specific things like smart meters, connected cars or smart TVs.

Some authorities will purchase products and assess privacy communications right out of the box. They may even put the products to use to get a first-hand look at what personal information is being collected and whether that coincides with what privacy communications say is being collected. Others will choose to examine the privacy information that’s available through the manufacturer’s website. In other instances, authorities may contact the manufacturer, retailer or data controller directly with specific privacy questions. The OPC will use all three methodologies.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.