The COVID-19 pandemic has caused a few nightmares for Canadian privacy experts, according to experts at the MapleSEC virtual conference.
Consider these stories outlined Wednesday at a privacy panel:
- An unnamed medical company sent real patient data in an Excel spreadsheet for software developers to test on the contact tracing app they were developing for the firm;
- An unnamed company suffered a “significant loss” after an executive fell for a business email scam involving the transfer of money. The CEO and CFO usually work in adjoining offices and would normally have checked with each other in person before allowing such a transaction. Instead, both were working from home and the normal procedure wasn’t followed;
- “People are now working from home, but they’re not treating it as they would their offices,” said privacy consultant Cat Coode of Binary Tattoo. “One privacy thing that gets me are people posting screenshots of their internal meetings on social media. You would never walk into a building and go into a meeting room and take a picture and post it. These are essentially private meetings.
“It’s going to be really critical” for organizations to remind staff that corporate information security policies apply in their homes and that they have a role in protecting customer privacy, Coode said.
Corporate privacy policies have to be adapted to the work-from-home environment, said Le Ha Hang, vice-president of global security at Montreal-based consulting firm CGI. One way is to impress upon employees that learning to protect corporate data also helps them learn how to protect themselves at home, she said. “There has to be something in it for people to get engaged.”
Panel member Leo de Sousa, deputy CIO of the city of Vancouver, said the municipality was by chance partly prepared for a crisis. Two years ago it began a remote working strategy for about 5,000 employees, giving departments the option of upgrading staff buy laptops. And as the pandemic began the city was putting the finishing touches on a revised privacy policy.
Still, the crisis meant quickly extending connectivity to the corporate network to 3,000 homes. For those who didn’t already have them the city had to loan some laptops from its supply. Others went home with their desktop computers armed with new VPNs.
For extra safety, the city bought licenses for a new endpoint detection and remediation (EDR) solution.
Fortunately, de Sousa said, an alert staffer prevented the finance department from falling for an email scam requesting the city change direct deposit banking information.
Halifax privacy lawyer David Fraser of the McInnes Cooper law firm suggested some companies might have been cut a little slack in March before a judge or regulator in pleading that practice or decision was “reasonable in the circumstances.” However, things have now stabilized and that argument might not carry. That’s why organizations have to think about changing privacy policies and procedures to reflect today’s situation, he said.
Make sure security is baked into business processes and so it isn’t something staff have to think about, he advised. Make sure employees understand privacy and security fundamentals. And, he added, make sure they have secure tools and systems to do their work from home — otherwise, if they have trouble transferring a huge file they’ll use a less secure app to do it.
Asked about how the so-called new normal will affect businesses, Hang was blunt: There is no difference between the past and now. Privacy and security must still be part of business processes.
In a separate session Alberta information and privacy commissioner Jill Clayton urged the private and public sectors to keep three things in mind when considering buying new technology solutions in this environment:
- Be aware of the privacy and security implications of new technology and new processes. Make sure expectations are clearly communicated to staff. “Working from home is not the same as working from the office, and introduces a host of privacy and security risks. Employers need to come up with strategies to mitigate those risks.”
- Don’t implement new technologies fast. Do a personal information impact assessment, even if it’s not legally required. “Rapid deployments of new technologies and changes to established practices lead to privacy breaches because things have not been thought through.”
- Make sure you have a breach response plan. “The last thing you want is to be flying by the seat of your pants when something goes wrong.”
