The woman who will enforce the country’s new antispam legislation has given a clear warning to service providers and businesses that she won’t be trifled with.
Canada has a bad reputation for hosting spammers, Andrea Rosen, chief enforcement officer at the Canadian Radio-television and Telecommunications Commission told the Canadian Telecom Summit on Wednesday, “but that’s not going to be the case much longer.”
Passed in the last session of Parliament but yet to be proclaimed, the act carries a maximum penalty of $1 million for individuals and $10 million for companies that distribute unsolicited email or malicious botnets.
While law protects service providers that are unknowing carriers of spam, Rosen noted that providers usually partner with email distributors and warned them that “willfully turning a blind eye to practices that facilitate abuse is not an excuse. Nor is it a free pass from an investigation.”
If a provider or enterprise has a problem of controlling of email her office will help develop a plan to fight spammers, she said.
“We have the tools to find the spammers wherever they’re hiding [in Canada] and the power to shut down their operations.” That includes power to get search warrants restraining orders and injunctions.
Under Bill C-28, consumers have to give their consent to receive unsolicited email.
Rosen said one organization has estimated Canada is the source of $3 billion of the $100 billion in spam-related fraud and privacy breaches around the world.
She said the commission has recently finished hiring enforcement staff for prosecutions and a computer lab for investigating spam.
She also said the CRTC will work with the federal privacy commissioner and the RCMP, as well as businesses and service providers to stamp out malware.
While cracking a whip, Rosen also sent a message to those who want to avoid prosecution by facing the music.
“Those who walk through our doors first will be treated with more leniency than those who wait for us to show up at their door,” she said.
To quality for leniency, she added, her office will need a full and frank exchange of information.
“Anyone not part of the solution will be considered part of the problem, and I assure you we will go after them.”
Rosen hopes the law will come into effect in the fall.
She was a member of a panel discussion on privacy, which also heard Prescott Winter, chief technology officer of Hewlett-Packard’s ArcSight risk management products division, complain that enterprises don’t take security seriously enough.
The digital economy won’t grow without security, he said, but too many chief executive and chief security officers admit to him they’re not doing a good enough job closing their networks to attackers.
“You can’t protect what you can’t see” on your networks, he said. “You’ve got to be able to see who’s on the network, how to put sensor in place to see where your adversaries are coming in, which pathway they’re using, whose account are they using.”
Just as important, he added, is the company or service provider has to have a security policy linked to the business plan. “Technology without policy goals and risk management frameworks is, quite frankly, dumb.”
“It’s an organizational challenge, an operational challenge, it’s a technical challenge, and most organizations are failing miserably on those scores.”
