We roll our eyes when news reports reveal another data breach, but maybe we shouldn’t be surprised: A privacy lawyer at one of the country’s biggest law firms, says 70 per cent of her clients aren’t willing to prepare for a loss of sensitive data.
“In the early days of privacy legislation I had only one type of client, who said ‘Ah, I’ll deal with it (a data loss) when it happens,’” Kirsten Thompson, a member of the national technology group at McCarthy Tetrault told a Retail Council of Canada loss prevention conference in Toronto on Thursday.
“Now 70 per cent are still ‘I’ll deal with it when it happens, but 30 per cent of my clients are ‘it’s going to happen, I’ll deal with it now.’”
“These are the clients that are getting ahead of data breaches. And frankly as a lawyer I can do more for my clients in that setting than after a data breaches. After data breaches what happens is I’m stuck with a set of circumstances that we find ourselves in. Maneoverablity is limited. Whereas beforehand I can work with to shape the outcome: I can audit current practices, do privacy gap assessments, look at IT and personnel training, direct policies, data retention practices and procedures for accountability. We can also put together install a protocol for first 24 to 48 hours of a breach, which makes life a lot easier.”
This lowers the risk of organizations suffering a breach, she pointed out, means a better likelihood the breach will be small and contained, and in the end it will cost them less than those who aren’t prepared.
She also told the conference that while there have been a number of quiet settlements between customers suing organizations over breaches, “it’s only a matter of time before a (a court issues) a decision with a significant damages.”
Asked in an interview later what this says about the readiness of Canadian organizations to seriously face a data breach, Thompson noted that she could only speak about the percentage of clients she has.
“Many Canadian corporations are headquartered in the U.S. and have a different understanding privacy that we do,” she added. “They’re being driven by their understanding of what happens in the U.S., so when it happens in the U.S. they get caught flat-footed. There’s also the eternal battle on how to you spend money on something that hasn’t happened yet. Until now companies have said we’re going to roll the dice on this, it’s no big deal. But as these things are in the paper every week, companies are now not rolling the dice in the same way.”
Thompson was moderating a session for retailers on data breach protection and disaster recovery.
In the past eight months a number of retailers in the U.S. have suffered major data losses through their POS systems, although all had to be running systems certified by the Payment Card Industry (PCI). But panelist Alexander Rau, a national security strategist at Symantec Canada, warned that PCI “cannot be just a checkbox” … but needs to a “living and breathing organism” in a full security strategy that covers staff, programs and processes along with technology.
“Technology is not a silver bullet,” he said. “The people, process you put in place is almost more important than the technologies you’re using. “You can never protect yourself 100 per cent , but you can get very close … technology just supports the organizational security structure you have.”
Brent Homan, director general for the federal PIPEDA privacy legislation at the privacy commissioner’s office, made a telling point: If the organization doesn’t need to hold personal information – if, for example it’s stale or the person is no longer a customer – there’s no need to hold it. Data retention policies, therefore, might limit the damage of a data loss.
He also noted that the Harper government’s proposed legislation updating PIPEDA, known as S4, will oblige organizations covered under the act to notify authorities and individuals of data breaches. Failure to notify can result in fines.