Threat information sharing between organizations and governments has been touted by experts as a necessity to combat online attackers.
That’s fine for sharing indicators of compromise, but what about threats that might identify a customer — email from a particular individual with suspected malicious links, or a specific Web site. Is there protection in Canadian law for sharing that kind of information without the person’s consent?
Canada’s new Digital Privacy Act — which was passed last summer– might appear to offer some protection. It protects the disclosure of personal information to another organization if it is for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada, or to detect, suppress and preventing fraud.
But an official of the federal Privacy Commissioner’s office warned CISOs on Wednesday such information disclosures will be watched carefully.
“We are going to be reading every word of those provisions,” Vance Lockton, a senior regional analyst for the commissioner, told a privacy conference.
If you say it’s necessary “you’d better be able to establish that it is necessary for this purpose,” he said, that that telling the individual about the disclosure would make it impossible to investigate the possible fraud. “You’d better be able to justify why you’ve come to that conclusion. This isn’t something that’s going to be hand-waved away. We’re going to be holding organizations feet to the fire.”
In an interview Lockton said threat information sharing “could very well fall under those exceptions” for disclosing personal information to a third party. But , he added, he can’t say for sure because the legislation is so new.
Parliament’s intent wasn’t to allow broad sharing of personal information collected by organizations with no oversight, he added. The provisions of section 7.(3) (d.1) and (d.2) speak of reasonable disclosure for investigating a limited set of circumstances, he said.
The commission will soon release a discussion paper on how this and other provisions of the new law should be interpreted.
Organized by the Canadian Institute, the conference continues Thursday.
Also at the conference, Sherry Liang, an assistant commissioner in the office of Ontario’s privacy commissioner, warned organizations there is lots they can do do prevent employees from unauthorized snooping into the personal data of customers and fellow staffers.
“It may be impossible to have a completely watertight system, but there is much that can be done to prevent it,” she said. “They range from better systems controls, password and login controls, timeouts, audits – both in response to an incident but random as well. Employee discipline is important, she added, including training.
Make sure staff sign confidentiality agreements, she added — and that they are renewed. “Don’t assume that once is good enough.”
A lot of the recommendations are common sense, Liang added in an interview.
At another session Amalia Steiu, an independent privacy consultant, and Samara Starkman, principal consultant at Drawbridge Consulting Inc., a privacy consulting firm, cautioned that accountability is a prime part of any organization’s data privacy plan.
‘Without accountability people don’t have guidance, they don’t have a complete set of what they need to do, and risks will be taken that shouldn’t happen,” Steiu said in an interview.
Finally, the organization’s audit team — either internal or external — should audit privacy policies. In fact she said, if they don’t have the skills they should look at the IT department, which has experience in setting up data security controls and are similar to privacy controls. “IT is audited more than privacy,” she said, “so they can talk to auditors about controls they’ve applied to support privacy. It’s a good place to educate auditors.”
Finally, conference chair Pamela Snively, Telus’ vice-president and chief data and trust officer, spoke of the need for organizations to have a detailed privacy breach protocol ready for the day when — not if — the network is breached.
It’s critical to get buy-in from the top (either board or C-suite) for this plan, she said — especially who in the organization will be responsible for leading the incident response team, communicating with staff and the media, and who — if necessary — will write the note to affected customers.
At the outset of the conference she mentioned that several people asked her in the past week if privacy is dead, given the amount of personal data organizations collect. “There has never been so much sensitivity to data privacy,” she said. “While privacy is under threat in lots of ways, we’re also seeing keen interest from people in protecting their privacy” and how to balance privacy and security.
While some worry that so-called big data users will impinge on privacy, Snively believes it will transform the lives of Canadians in positive ways. But, she added, organizations need to be careful about the data flows they create once data repositories are constructed it’s hard to pull datasets out of them.