#CyberFLASH: Ontario Education department suffers loss of email addresses

10712553An Ontario government department has learned the hard way about the need to secure a Web site. The Education ministry has acknowledged that 5,000 unencrypted email addresses of people who had left contact information on a site were recently exposed.

The ministry realized on March 5 there had been a loss of email addresses left by people who went to a site for information on workshops, Nilani Logeswaran, press secretary to Education minister Liz Sandal, confirmed in an interview this morning that. No other personal information was accessed.

The stolen email addresses were then publicly exposed on another Web site, which has since been taken down.

The Ontario Provincial Police and the provincial privacy commissioner are investigating.

As a result of discovering the breach the Education ministry Web site was immediately taken down. As a precaution the Ministry of Training, Colleges and Universities’ Web site was also taken offline. Both are now back online, Logeswaran said.

Read more here

#CyberFLASH: Day of action against C-51 draws crowds across Canada

Bill C51 Protest 20150314MONTREAL — Thousands of Canadians came together to loudly denounce the Conservative government’s proposed anti-terror legislation in rallies held across the country on Saturday.

In a park in Montreal’s north end, a few dozen of the hundreds of demonstrators taped their mouths shut in protest of the bill, which opponents say would allow the government to stifle protest and dissent. As they marched toward the office of Liberal leader Justin Trudeau, many of the large contingent waved signs bearing messages such as “Stop Harper,” and “Activism is not a crime.”

The Conservative government introduced the legislation, known as Bill C-51, in January.

The wide-ranging bill would give police much broader powers and allow them to detain terror suspects and give new powers to Canada’s spy agency.

The organizers of the nationwide protest say the bill would infringe upon Canadians’ civil liberties and right to privacy, especially online.

Read more here

#CyberFLASH: First target of Canada’s Anti-Spam Law, fined $1.1 million

image-9Last week, the Canadian Radio-television and Telecommunications Commission (“CRTC” or the “Commission”) issued its first Notice of Violation under Canada’s Anti-Spam Law (“CASL”). Canadian corporate training company compu.finder Inc. (“Compu-Finder”) has received a fine of $1.1 million for allegedly sending email without the recipients’ consent or a properly functioning unsubscribe mechanism.

What is CASL, and why is Canada targeting marketers for unsolicited commercial electronic messaging?

Canada’s Anti-Spam Law

CASL became effective in July of last year. The anti-spam law forbids marketers from sending commercial electronic messages (“CEMs”), installing computer programs and/or collecting email addresses using computer programs without obtaining the express consent of consumers. Additionally, CASL prohibits making false or misleading representations in electronic messages and collecting personal information through unauthorized access.

The CRTC, Competition Bureau and Office of the Privacy Commissioner are tasked with enforcing and regulating CASL. These agencies launched an online Spam Reporting Centre so that consumers, businesses and other organizations can report marketers’ unlawful conduct. Organizations that violate CASL risk criminal and civil charges, personal liability for officers and directors and fines of up to $1 million for individuals and $10 million for businesses.

Read more here

#CyberFLASH: Tax time 2015: How safe is your data with CRA?


Security at the Canada Revenue Agency certainly isn’t perfect.

Last year, someone — allegedly a 19-year-old student at the University of Western Ontario — hacked into its servers by using the much-publicized Heartbleed security flaw and made off with the social insurance numbers of more than 900 taxpayers.

A few months later, the taxman accidentally sent CBC News confidential details about prominent Canadians, including former prime minister Jean Chrétien and author Margaret Atwood, such as their home addresses and the value of certain tax credits they were granted.

And in 2013 a report from the federal privacy commissioner warned of “marked weaknesses” in CRA’s privacy and security habits, finding, among other things, that thousands of taxpayers’ files had been inappropriately accessed by employees for reasons including “personal gain, preferential treatment and fraud.”

All of which raises the question, how secure is the CRA? How concerned should Canadians be that their financial data might end up somewhere else entirely, used for who-knows-what nefarious purposes?

Read more here

#CyberFLASH: Office of the Privacy Commissioner of Canada releases research report on privacy and cybersecurity

n-ONLINE-PRIVACY-largeOn February 12, 2015, the Office of the Privacy Commissioner of Canada released a research report entitled Privacy and Cyber Security – Emphasizing privacy protection in cyber security activities (the “Report”). The Report explores the interconnected relationship among cybersecurity, privacy and data protection, including common interests and challenges.

The Report illustrates some of the current and growing challenges for data protection and cybersecurity including:

  • the growing complexity of managing and providing security for cyberspace
  • the growing sophistication and “professionalization” of cybercrimes and hackings;
  • the future focus of cyber criminals on the mobile sphere;
  • the risks of “big data” and “big data” analytics to individual privacy;
  • the failures of companies and organizations to prioritize breach preparedness; and
  • the shortcomings of a “check the box” approach to compliance with data protection laws, and the need for effective risk management and dynamic implementation of security.

The second half of the Report addresses national cybersecurity policy and foreign policy developments. The Report cautions that as cybersecurity policies progress at the national level, security and public safety concerns may overshadow individual privacy protection. Ronald Deibert, Director of the Canada Centre for Global Security Studies and the Citizen Lab at the Munk School of Global Affairs, University of Toronto, describes this scenario as the “securitization” of cyberspace, where cyberspace becomes solely a matter of national security. To prevent this securitization, Deibert proposes a “stewardship” approach, stating that cyberspace does not belong to a particular person or group and everyone, including governments, law enforcement agencies and the private sector, has a role to play in shaping the foundation and evolution of cyberspace.

Read more here

#CyberFLASH: Regulatory guidance for online and mobile environments

G3-Nov16-20Canadian Privacy Commissioners have recently published guidance for compliance with privacy laws as applicable to online and mobile environments. The guidance explains how organizations can obtain meaningful, informed consent to the collection, use and disclosure of personal information provided by users of online services and mobile apps. The guidance emphasizes the need for transparency and meaningful consent.

Guidelines for Online Consent

In May 2014, the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioners of Alberta and British Columbia jointly published Guidelines for Online Consent to address consent requirements under private sector privacy laws and to explain the privacy commissioners’ expectations regarding meaningful consent in online and mobile environments. Following is a summary of some important aspects of the Guidelines:

  • Personal Information: Personal information is information that can be used, alone or in combination with other available information, to identify an individual. For example, location information (e.g. GPS data), device identifiers (e.g. IP and MAC addresses), click stream data, browser history and user generated social network data.
  • Meaningful Consent: Privacy laws require organizations to obtain an individual’s meaningful consent to the collection, use and disclosure of the individual’s personal information. Consent is meaningful when an individual understands what the organization will do with the individual’s personal information. The key to meaningful consent is openness and transparency – easily accessible, complete and understandable explanations of the organization’s personal information management practices.

Read more here

#CyberFLASH: Tips from a former privacy regulator

cra-passwords-security_211076204-e1402005190177As I transit out of my role leading the Office of the Privacy Commissioner of Canada (OPC) to join Dentons’ privacy law practice, I decided to take stock of my experience as a regulator and draw some lessons. I am sharing them in the hope they can assist companies in responding to privacy regulators.

At the OPC, I oversaw many, varied, privacy investigations. While focussing on the issues at hand, I couldn’t help judge the strategy of the respondent companies. In some cases, I was impressed with their principled approach, their openness and their commitment to resolving the matter. At times, I recognized their cooperation publicly. In other cases, I would wonder why they would take an antagonistic stance on an issue as sensitive as privacy, an issue which their customers, in survey after survey, declare to hold so dear. I could see companies hurting their case by their strategy. While the OPC would provide them guidance in privacy law, it was not my place to tell them how to best make their representations.

Now I can. So here are five main tips that I believe can benefit companies in responding to a privacy regulator.

Read more here

#CyberFLASH: Privacy Commissioner questions how Apple and Google respect Canadians


The office of the Privacy Commissioner of Canada (OPC) released its 2013 report examining how more than 2,000 websites and mobile apps release information regarding their privacy practices. The study was conducted with the participation of 19 different privacy enforcement authorities.

Mixed results seem to be the big take away from the Privacy Commissioner’s research. According to the report, some large websites have no privacy policies in place at all, while others keep privacy policies hidden, making it very difficult for the average user to find them.

“In today’s digital marketplace, websites and apps regularly collect a wide range of personal information — everything from a person’s location and online activities to their personal preferences and credit card information,” said Canadian Privacy Commissioner Daniel Therrien in a release.

When an issue was identified, the OPC notified the organization of their concerns. Forty websites and apps have already agreed to comply with the OPC’s suggested changes to their privacy practices, which means the Privacy Commission won’t need to move forward with a formal investigation focused on those organizations.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.