Welcome to Cyber Security Today. This is the Week In Review edition for the week ending Friday July 23rd. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com. My guest this week is Cat Coode, founder of the Canadian privacy consulting firm Binary Tattoo.
She’ll join me in a few minutes. But first a quick look at some of the top stories of the past seven days:
Canada, the U.S., Japan and NATO countries joined to accuse China of years of malicious cyber activity, including responsibility for the Microsoft Exchange Server compromise discovered earlier this year.
They also alleged Chinese government affiliated groups have been responsible for widespread ransomware attacks and data theft. Criminal charges were laid by the U.S. against four members of China’s Ministry of State Security who worked through a front company. They will probably never face trial. The Chinese Embassy in Washington called the allegations groundless.
Separately, the U.S. also said Chinese state-sponsored hackers breached the networks of at least 13 American oil and natural gas pipeline operators between 2011 and 2013.
Speaking of ransomware, one of the biggest law firms in the U.S. has admitted being hit by ransomware in February. The firm can’t confirm if the attacker copied or saw the information of clients. But it says the files involved had persons’ names, dates of birth, Social Security numbers, drivers licence numbers and other data.
Another ransomware victim is Cloudstar, a provider of computer infrastructure services to a number of companies in the real estate, finance, insurance and energy sectors. The company said all but its email, email encryption and some support services are unavailable. As Thursday, when this podcast was recorded, it still hadn’t fully restored systems.
One of the reasons crooks like using cryptocurrency payments is they are hard to trace. The European Commission, which oversees the European Union, has an idea: Force cryptocurrency service providers to collect information on those who own cryptocurrency wallets, as well as those who send and receive cryptocurrency. These would be similar to the anti-money laundering rules banks have to follow. A vote on the proposed change to regulations may take place later this year.
A year ago this month Twitter users were stunned when hackers took over the accounts of well known people and began to spread a cryptocurrency scam. Now a fourth person has been charged in Spain for that attack. The British citizen has also been charged with involvement in taking over TikTok and Snapchat accounts. Of the four, one, considered to be the mastermind of the Twitter hack, has pleaded guilty and been sentenced to three years in prison.
Finally, with political observers increasingly predicting Canadian Prime Minister Justin Trudeau will call a fall election soon, I wrote about what would be lost: The proposed overhaul of our existing privacy law covering many businesses. The proposed bill C-11, to be called the Consumer Privacy Protection Act, would among other things expand the powers of the privacy commissioner, and create a new tribunal which would decide if major fines against companies that violate the act should be levied. But if Parliament is dissolved for an election, the bill dies.
That’s the topic I’m going to start with.
(The following is an edited transcript of my conversation with Cat Coode. for the full discussion play the podcast)
Howard: First tell us a bit about yourself.
Cat: I come from an engineering background, spent over a decade making Blackberry devices and software development and architecture. I was at Blackberry right around the time when iPhones were coming out [and] everybody was jumping to the iPhone because they thought it was cooler and fancier. And as somebody who is on the back end, I knew what we did well on Blackberry was privacy and security. When I saw everyone moving to something that was sexier and cooler, instead of something that was secure and private, I realized people didn’t really understand what they were doing with their data. So when I left Blackberry I started my own consulting company in privacy to help people better understand where data was going, how it was being stored and how it was being used. The bulk of what I do now is consulting for companies, helping them understand regulations, running privacy impact assessments and helping them see how they can put ‘privacy first’ design into the services and products that they offer.
Howard: I want to turn Bill C 11. It’s a big overhaul of the existing law, which is known by its acronym. PIPEDA. The update is largely because privacy laws in countries around the world have to be similar to the European Union’s privacy regulation known as GDPR. C-11 was introduced last November. It’s eight months later, and it’s nowhere near being passed. And if an election is called, the bill dies. Cat, what did you think of the bill when you first read it?
Cat: One thing I like to explain to people with privacy regulations, including GDPR, is that they are legal regulations, but they have a technical implementation to them. So they have guidance around how to protect people’s rights and how to protect consent or how to present it. But there isn’t anything in C-11 around the technical safeguards that are also required to protect people’s data. And that’s what I had been hoping to see. So with all the shortfalls or pluses that it may have around how it’s handling legal rights, it doesn’t have any guidance around anything technical on how companies are actually supposed to protect the private data that they have.
Howard: Well, some of that would be in regulations that the government would set out once the bill was passed, the same as under PIPEDA.
Cat: Yes. But PIPEDA also doesn’t have a lot of technical safeguards. GDPR had some. GDPR was certainly pushing for Privacy By design, which we all know as Dr. Anne Cavoukian’s baby — and it came out of Canada. So it was a big surprise when C 11 came that there wasn’t more emphasis on the privacy by design mentality and the enforcement of these privacy impact assessments that look for that privacy at the root of what we’re building. What GDPR has done successfully, in my opinion, is iterated. They found things that they thought were missing and then they’ve included them. One thing they have done actually quite recently is updated their standard contractual clauses (SCCs): If data is staying within Europe, you are allowed to move that personal information around and it is considered safeguarded because it’s within the GDPR. If you are moving that personal information outside of Europe, then those companies need what’s called a standard contractual clause to explain how they are safeguarding and protecting the data and why, what they have in place will still continue to meet the GDPR. Quite recently, in the summer of 2021, they have actually updated the SCCs to include 17 different specific technical safeguards that have to be explained in detail, around encryption, disaster recovery, and all sorts of information about how you are actually safeguarding the personal information you’re moving. I haven’t seen anything like that in Canada.
Howard: What did your clients say to you about C -11, or were they waiting to see whether it was passed?
Cat: It’s quite interesting. I find because I come from the technical world, people are not very regulated. Like, if you come from the financial industry, you’re under financial regulation. You come from the health industry, you’re under health regulation. But when people are coming into the commercial space from a technical side, they don’t actually know much about regulations. And although we said, ‘You know, PIPEDA is probably just as good, if not better, nobody’s following it. So I find there are so many clients that aren’t meeting the basic requirements from PIPEDA. And then when they heard about C-11 they got all excited about the fact that, ‘Now we have a privacy regulation in Canada. What do I need to do for my privacy program in order to meet this regulation?’ So again, from the privacy side, we already had it, but for whatever reason, there was no impetus on these companies to actually look into what that meant and implement it.
Howard: That’s really interesting. PIPEDA has been around 20-plus years. So why aren’t the Canadian businesses who come under the ambit of PIPEDA don’t t know much about it? Why aren’t they taking it seriously?
Cat: I presume because there’s no ramification to not taking it seriously. There’s very little in the way of any kind of fine. It rarely makes the news. And then you get two kinds of clients. There’s the clients that say, ‘Hey, I want to do right by my client, my customers, what do I do?’ And then there are the ones that say, ‘What is the minimum [I need to do]? And they’re always measuring that risk versus reward. [They think] ‘What is the minimum I need to do for privacy in order not to get sued? What do I need to do in order to meet whatever I have to meet in order not to be charged money?’ And so they’re assuming this privacy risk, because they don’t see what other consequences there would be to not following these privacy guidelines.
Howard: Monetary penalties are a whip. Do businesses need to face a whip in order to comply with things? You know, it’s really embarrassing to be hit by a cyber attack in one way or another. The public is probably going to find out. And one might think that that would be enough impetus. But there are some people who think unless there’s a threat of multimillion-dollar fines, businesses won’t act. What’s your thought?
Cat: I agree. And so there’s the carrot and the stick. And the carrot is if you build trust, if you show that you’re a good company, people will come to you, they will use your product. Then that will be the differentiator. But the stick, the stick is either a financial penalty or what we’re finding now with B2B companies: They’re getting all these vendor requests. We’ve always had security checklists. Now we’ve got privacy checklists. So if you are trying to do business with a bigger company, they’re going to send you a privacy checklist. And if you can’t thoroughly answer all those questions, then you lose the business. And most of the privacy impact assessments I have done are because these companies are now required to do either the assessment or fill out a security or privacy checklist. Not because they’re doing the right thing, but because the partners and their bigger clients need them to. And so that’s why they’re actually taking the time and resources to put privacy ahead,
Howard: To bring it closer to the GDPR, C-11 would give the privacy commissioner the ability to recommend levying administrative penalties of up to $10 million or three per cent of a company’s global revenues, whichever is higher for a serious violation of the act. There could be a new maximum fine of up to $25 million or five per cent of global revenues, whichever is higher. But the privacy commissioner doesn’t get to be judge and jury. There’s a proposed new tribunal, and the privacy commissioner would make his recommendations to that tribunal, which would be appointed by the government. The tribunal would have the final say. Splitting off the powers is something that some critics, including the privacy commissioner, have been outspoken about. What are your thoughts?
Cat: I would tend to agree. I always joke when I’m explaining global regulations to people that it’s so Canadian of us, that we have the privacy commissioner would sit there and go, ‘I’m so sorry to bother you, but I really think you should fix this.’ And then someone else makes the decision [on a fine]. That’s a very Canadian thing to do. We kind of ask permission before we actually take action. I do feel like we aren’t going to be able to act on the penalties if we’ve got these multiple steps. And I know our commissioner’s already said they don’t have the bandwidth to manage that in the way … It’s going to be overwhelming. It would be better if the provinces handle it. The provinces currently handle health data [privacy] and they do a phenomenal job of it. It would almost be better if the provinces had some kind of measure there where they could also stop-gap this before it goes up to the [federal privacy] office.
Howard: I imagine that the business community spoke to the government and they said, ‘We really don’t want the privacy commissioner to be the judge and jury. And, I’m speculating, to appease the business community the government separated these two functions [recommending a penalty, and approving a penalty]. And the advantage of having a tribunal is that it’s another body where the government can make patronage appointments, because a tribunal would have a number of members. But maybe that’s the cynical reporter in me.
Cat: … I agree with you. I think C-11 very much reflects this. Canada doesn’t feel like it innovates. So how can we put more control back to the business? They feel they can innovate without doing what they need to do. But I don’t know what this tribunal [will do]? If the decision is clear, if privacy is not being followed, if you’re not able to show that you’re meeting the rules and regulations, what difference is it going to make, how many different steps there are companies need to just put privacy into their foundation? I don’t think having different gates and different levels of assessment is going to change the fact that they’re breaching things that they shouldn’t be breaching.
Howard: So in your opinion is C 11 seriously flawed, or does it only need a small bit of tweaking?
Cat: I don’t think it’s an improvement on PIPEDA today. I don’t think there’s value in the time, effort and resources to put into it because it’s not improving what we have today. Again, my perspective is that we need to educate the companies on what they’re supposed to be doing as a base now, and then improve on that because so many companies aren’t even doing that today.
Howard: Well, some would say that because this is a minority Parliament, and on top of that there’s COVID, Parliament has trouble. The committees and Parliament can’t meet all in person and that causes a lot of problems with passing legislation. On the other hand, I think a government’s job is to get legislation passed. And if you’re in a minor minority government, your job is to make a deal with one of the opposition parties to get it done. And they obviously couldn’t get that deal. I mean, why introduce a bill that would fail? And I think the privacy commissioner’s objections certainly didn’t help. But the bottom line to me at least, is that this just doesn’t seem to have been a priority of the government. What do you think?
Cat: I would agree with that. I mean, if you look at Ontario, it is actually updating their own privacy guidelines. They’ve, they’ve put out their own focus. That was well thought out. They asked for people to weigh in on what they think those priorities should be. And we didn’t see any of that for C-11 and the people I know who did give input were all disappointed to see that that wasn’t taken seriously and wasn’t included.
Howard: What Ontario wants to do is pass a privacy law, and it seems that they want to do it because they’re tired of waiting for the federal government to pass this privacy law [C-11]. Ontario was relying on PIPEDA for the privacy law covering the private sector. And now Ontario says, ‘We’re on the road to creating our own privacy law. ‘
Cat: And Ontario included things that C-11’s missing, like youth protection [of data].