Archive for the ‘Privacy Breach’ Category

20 Jan 2017

Mass mailing mistakes and how to avoid them this tax season


mail theftWith tax season approaching, many businesses are pulling together mass mailings to send out to customers. The information these mailings contain is likely pretty sensitive – names, addresses, social insurance numbers and financial details. You don’t want it falling into the wrong hands!

Every year, a number of Canadians contact our Office to complain because they received sensitive financial information that does not belong to them. A number of businesses also reach out to our Office to report related breaches.

You can take precautions to prevent printing or mailing errors that can cost your customers dearly and tarnish your reputation as good stewards of personal information:

Read the rest of this entry »


9 Nov 2016

Privacy Tech-Know Blog: Pay me to regain access to your personal information! Ransomware on the rise


business growth 1

Ransomware is a type of malicious software (malware) which, when installed on a device or system, prevents access to that device, or that device’s content or applications. Once installed and operational, the malware prompts you to pay a ransom to restore full functionality to the device. Personal or sensitive data have been targeted with ransomware, or accessed when attackers were rifling through organizational computers or networks. In fact ransomware has affected a range of devices, including those running Windows, OS X, and Android, and has affected healthcare providers, police services, public schools, universities, and various types of businesses, in addition to individual consumer users. It’s an increasingly prevalent issue, with Symantec estimating that Canadians were affected by over 1,600 ransomware attacks a day in 2015.

Read the rest of this entry »


11 Jan 2013

Privacy Commissioner launches investigation of Human Resources and Skills Development Canada breach of student loan recipient information


The Office of the Privacy Commissioner of Canada (OPC) announced today that it is launching an investigation into a breach involving the personal information about more than half a million clients of Human Resources and Skills Development Canada (HRSDC) and 250 departmental employees.

The OPC was informed by HRSDC of the disappearance of an external hard drive containing personal information and financially related data of approximately 583,000 clients of the Canada Student Loans Program and 250 HRSDC employees. Upon receiving this notification, the Assistant Commissioner determined that there are reasonable grounds for a commissioner-initiated complaint against HRSDC to ascertain whether there has been a contravention of the Privacy Act. The Privacy Act stipulates that the Commissioner has the authority under subsection 29(3) to investigate a matter under the Act where she is satisfied that there are reasonable grounds to do so.

The law empowers the Commissioner to launch an investigation in cases where she believes there is a serious possibility that an investigation would disclose a contravention of the Privacy Act.

The OPC is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy rights of Canada. The OPC has a number of resources available on its web site to help individuals protect their personal information, and a section specifically about “Identity Theft” that includes frequently asked questions and fact sheets entitled Protecting your personal information and Identity Theft: What it is and what you can do about it.

For more information go to www.priv.gc.ca.


21 Nov 2012

Employee privacy – a balancing act


Companies are always seeking ways to improve productivity.  The most innovative and successful methods can create some positive buzz around a company.

Other approaches can sometimes be ill-advised, premature or ineffective, and this can make waves within an organization.

Last month, a law firm in Toronto was the subject of some media interest over its highly controversial plan to use fingerprint-scanning technology to monitor the comings and goings of its administrative staff. The plan was meant to ensure that staff were not “abusing the system” with lengthy lunch breaks and short work days. Media reports and blog posts zeroed in on the privacy implications of such a plan.

Our Office wouldn’t have oversight over this specific employment matter – we only have oversight into matters of employee privacy in federal works, undertakings, or businesses (lovingly referred to as “FWUBs”). Otherwise, employee privacy is largely a provincial matter, with several provinces having passed privacy legislation that applies to personal information of private sector employees. It’s unfortunate that there is little redress for employees in those provinces that do not have legislation in place, this being one such case in point.

An employer’s need for information should be balanced with an employee’s right to privacy. While employers may be focused on increasing productivity, they should seek to ensure that they weigh the benefits of any potentially privacy-invasive plans against the costs — and not just economic  costs.  Cost considerations should include potential impact on staff morale, loss of trust and loss of human dignity.

Law firms, in particular, could set a model example in how they handle personal information when managing their law practice. In Girao v. Zarek Taylor Grossman Hanrahan LLP, Hon. Justice Richard Mosley wrote,

““Law firms providing advice to clients who deal with the personal information of their customers must be knowledgeable about privacy law and the risks of disclosure. Lawyers also have a public duty to protect the integrity of the legal process. The failure of lawyers to take measures to protect personal information in their possession may justify a higher award than that which would be imposed on others who are less informed about such matter.”

While the Federal Court was referring to the personal information of clients rather than employees in those circumstances, it’s still a significant message about the high standards of conduct judges expect lawyers to live up to.

We hope law firms will take the opportunity to consult our privacy guidance for lawyers. And we hope organizations will take advantage of the other resources we have on dealing with workplace privacy issues, including our fact sheet for human resources professionals.

 


26 Oct 2012

Privacy Pop – Our top ten films on privacy


Privacy and surveillance have always been compelling themes in pop culture, and Hollywood has certainly used the concepts to great effect. Below, in no particular order, is our own selection of the best films with a privacy theme.

Do you agree with our list, or do you think we’ve left something out? Let us know in the comments!

Louis 19, le roi des ondes (King of the Airways

The only comedy on our list, Louis 19 traces the path of Louis Jobin, a man initially thrilled to be chosen as the star of a reality TV show, only to discover that celebrity is not all it’s cracked up to be. Released in 1994, the movie predated the onslaught of reality TV shows, social networking sites and the concept of micro-celebrity.

A Scanner Darkly

Like a few of the other films on this list, A Scanner Darkly takes place in the not-too-distant-future, where surveillance is ubiquitous and constant. Based on the Philip K. Dick novel and directed by Richard Linklater, this film also considers notions of identity, and how the effects of surveillance on identity.

Caché (Hidden)

This Austrian-French thriller follows the lives of the Laurent family as they attempt to determine who has been secretly videotaping them. Released in 2005, the film has won numerous awards and earned global accolades from film critics.

The Conversation

Gene Hackman plays a plays a paranoid and brilliant surveillance expert in this 1974 film which may or not be the precursor to another movie which didn’t quite make our cut, Enemy of the State. Directed by Francis Ford Coppola, The Conversation has been praised for its “remarkably advanced arguments about technology’s role in society that still resonate today.”

Gattaca

Gattaca brings the themes of privacy and surveillance to the sub-atomic level. In this version of the not-too-distant-future, DNA plays a major role in determining future profession, potential mates and social class.

Minority Report

Before starting production, director Steven Spielberg assembled a group of futurists to get a handle on what the year 2054 might look like. That would explain the wealth of plausible technology showcased throughout the film, like this scene where Tom Cruise’s character is approached by pushy holographs with  personalized, targeted sales pitches.

The Lives of Others

Released in 2006. A Stasi agent takes an interest in a couple living in East Berlin and begins to monitor them – at first, with the intention of determining their loyalty to the Socialist Unity Party, but then increasingly for his own personal interest in their lives.

1984

George Orwell’s modern classic was brought to the big screen for a second time in 1984. (The first film adaptation was made in 1956.) Like all good cultural memes, this one introduced several new words and phrases into our vocabulary, including Big Brother, thoughtcrime, and memoryhole.

Rear Window

Man breaks leg, gets bored, spies on neighbours – high jinx ensue. The high-tech surveillance techniques featured in many of the other films on this list are nowhere to be found in this classic Hitchcock mystery.

Red Road

This Scottish film follows a CCTV operator who actively monitors a man from her past. Director Andrea Arnold has said her depiction of Glasgow as a city under constant surveillance was meant to provoke a debate about the use of CCTV networks.

 


10 May 2012

When using technology to safeguard personal information, sometimes small steps can prevent a big loss


An Office of the Privacy Commissioner of Canada (OPC) survey of 1,006 companies across Canada shows that many businesses are not employing recommended technological tools or practices to protect the digitally-stored personal information of their customers.

For example, the survey found that while the vast majority of companies are using passwords to protect personal information stored on digital devices, many do not ensure that passwords are difficult to guess or that their employees change them regularly—two practices that can really help thwart online criminals.

The survey also showed that almost 50% of companies that store personal information on portable devices like laptops, USB sticks, and tablets do not use encryption to protect the information on these devices—despite the fact that these types of devices are far more likely to be misplaced, lost or stolen.

While the survey did find that many Canadian companies recognize the importance of protecting privacy, it is vitally important that businesses take the time to get it right—for their customers and for their own survival. Businesses that jeopardize personal information, risk losing their customers’ trust and their business.

The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website.


8 May 2012

International data breach report flags alarming trends


A report by Verizon highlights some extremely troubling trends about the types of data breaches occurring around the globe and also how organizations of all sizes are failing to adequately respond to new threats.

Verizon studied 855 breaches in 2011 involving organizations in 36 countries and compromising over 174 million records. Those figures are alarming in themselves.  But just as concerning are some of the statistics drawn from an analysis of these incidents.  Consider:

  • 98 percent of breaches examined in the report stemmed from external agents, notably organized criminals, but also an increasing number of activist groups.  Meanwhile, only 4 percent of breaches involved internal employees.
  • Hacking was linked to the vast majority of incidents – 81 percent.  As well, increasingly invasive malware was used in 69 percent of the breaches.
  • Most breaches were avoidable, with Verizon’s experts concluding that 96 percent of the attacks were not highly sophisticated.
  • Almost all of the firms involved – 96 percent – were non-compliant with the Payment Card Industry Data Security Standard.
  • Organizations also seemingly had trouble detecting breaches – 92 percent of incidents were discovered by a third party; and typically only weeks or months after the breach occurred.

The report is eminently readable and even occasionally funny (who knew there was a “Sesame Street” method of detecting data breaches).

It also includes a point-of-sale security tip sheet that anyone can cut out and distribute to the stores, restaurants and other businesses they frequent. There are more detailed mitigation strategies at the end of the report.

The report raises some fundamental questions about whether organizations – despite all the warnings and growing evidence of the risks – are taking data protection responsibilities and security standards seriously.


27 Mar 2012

Privacy: Not just good business, but good for business


A recently released study has given further evidence to the link between privacy and personal information protection and consumer confidence.

The Edelman study  released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations.  For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information.  An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.

It’s hardly surprising that consumers are nervous.  Stories about privacy and security flaws and breaches abound in the media these days.  From flaws in mobile applications, retroactive release of archives for marketing, service amalgamation and data breaches, users are constantly confronted with evidence that their personal information is at risk.  Lack of transparency on the part of organizations and consumer discomfort with cross-border data traffic, outsourcing and cloud storage only further exacerbate the issue.

This challenge to trust appears to correlate to an increased willingness on the part of consumers to invest in their privacy.  Where a 2009 study concluded that consumers were unwilling to pay extra for privacy, recent research from the European Network and Information Security Agency (ENISA) finds that individuals weigh security and privacy considerations as heavily as those relating to a product’s design, style, and physical dimensions. All other things being equal, the study discovered that consumers were willing to pay a higher price in order to protect their privacy. 

Investing in privacy is not the only way that consumer concerns are indicated – the Edelman data also shows nearly 50% of participants either leaving or avoiding companies that have suffered a security breach.  Following a data breach suffered by an organization with whom they’re already involved, up to 70% of those surveyed expressed willingness to terminate a relationship or switch providers. 

Findings like this should be a wake-up call for organizations, an indicator that it is no longer enough to “manage” security and privacy concerns. Instead, privacy and security need to be prioritized and strengthened to the point where they can be made key parts of branding and corporate identity.   Consumer confidence is key, and reliant upon trust. And new evidence increasingly shows that privacy is not only good business – it’s good for business.


7 Sep 2010

Know a Young Person Who’d Like to Win an iPad?


We’re launching our 2010 My Privacy & Me Video Contest for 12-18-year-olds – and the first-place winners will win an iPad!

It’s the same thing this year – but a little different, too! Again, we’re asking them to create their own public service announcements about privacy. But this year, we’d like the videos to fall into one of four categories: Surveillance; Reputation Management; Targeted Advertising; or Online Scams. You can find all contest details here.

This year, teams can consist of one to three people. First-place winners in each category will win an iPad. Second-place winners will win a $200 gift card; and third-place winners will win a $100 gift card. We’ve recognized top-participating schools and teachers in the past, and we have something in store for them in 2010! The deadline is December 10, 2010.

For inspiration, sit down with your young ones and watch the 2009 winning videos. Then, have them start exercising their video-making muscles – we can’t wait to see what they’ve got!


28 Jan 2010

It’s Data Privacy Day 2010: Are you taking the proper steps to ensure that your personal information is safe?


On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.

If you own a company, or work for a big one: in the past, you may have had to ensure that your customers’ name and address information (and in some cases credit card and billing information) were safe. Now, many of you are providing technology and tools for your customers to put increasing amounts of personal information online. Does your company have the systems in place to safeguard this information? Do you give your customers the tools and options to control how their information is used?

If you are a user of new and cool technology: in the past a telephone was a telephone, a video game was a video game, a stuffed toy was simply that – a stuffed toy. Today, more and more toys and handheld tools come with the ability to go online. Do you understand how to enjoy your toys and gadgets without putting your personal information at risk?

If you are a parent or guardian, teacher, coach or caregiver: do the young people in your life understand how to use all these new toys and gadgets while keeping their personal information safe? Our office has recently made youth privacy a key priority. Today, we have posted some new resources to the Parents & Teachers section of our youth web site. The resources include information on 12 privacy issues (such as the importance of privacy settings and knowing who your friends are on social networking sites), along with ideas for generating discussion about each issue with young people. You can use these resources to start discussion about personal privacy and the importance of thinking about what you post on the Internet.

Regardless of which group you are in – if you need any information about how to keep personal information secure, visit our web sites – priv.gc.ca and youthprivacy.ca.