With changes coming to the Personal Information Protection and Electronic Documents Act (PIPEDA) this fall, one privacy consultant says IT professionals should be ready to use privacy as a business case for their future security projects.
Speaking at this week’s 2008 Infosecurity Canada conference, Nymity Inc. president Terry McQuay said that mandatory breach notification is likely to come into PIPEDA later this year. Currently, only the Personal Health Information Protection Act (PHIPA) – legislation which governs the use and disclosure of personal information relating to one’s health care – requires organization’s to notify victims of a data breach.
According to McQuay, in the event of a data breach, the new PIPEDA legislation will require organizations to notify all affected individuals if the breach poses a significant harm. Companies will also have to notify the federal privacy commissioner, he added.
“With breach notification going into PIPEDA, those in the private sector are going to have to invest in breach notification protocols and in methods to eliminate the breaches from ever occurring,” McQuay said. “For anybody with a security project that has never gotten funded, privacy is now going to turn into a business case to reinvest in security and get a budget for it.”
IT and security administrators may also want to consider the manner in which they notify individuals affected by a breach, he said. The new PIPEDA model is expected to include telephone, letter and in-person notification as viable avenues. However, McQuay said that e-mail notification can be acceptable if organizations start planning ahead.
“E-mail notifications will likely be acceptable in cases where express consent has been provided by the individual to receive important information via electronic communication,” he said. “Changes to your policies to include this will mean you can notify people in the most cost-effective way if a breach arises.”
But in addition to having a proper notification procedure, McQuay said, developing stronger safeguards should be a top priority.
“If you encrypt, there’s probably not going to be a need for breach notification,” he said. “The law is going to take the probability that the information was misused for a fraudulent or harmful purpose. Companies that can find out if the information stolen or lost cannot be accessed will be able to prove there isn’t a breach.”
Recent findings from Privacy Commissioner of Canada Jennifer Stoddart seem to agree with McQuay, suggesting that most companies need to put a stronger focus on encryption measures.
“Too often, we see personal information compromised because a company has failed to implement elementary security measures such as using encryption on laptops,” Stoddart wrote in her annual report on PIPEDA, released last week.
The commissioner found that almost nine in 10 people affected by a self-reported breach – such as a misplaced tape drive or laptop – were put at risk because their personal information was held in an electronic format that was either not secured or lacked adequate protection mechanisms such as firewalls and encryption.
These findings even led to some wishful thinking from some security analysts like Info-Tech Research Group Senior Research Analyst James Quin, who hopes the government will push encryption even further.
“It’s difficult for the government to come out and say which technologies to use, because they would appear to be advocating for certain commercial enterprises, but I wish they would in the case of encryption,” Quin said. “As a security professional, I wish they would just come out and say that it is mandatory that companies use encryption.”
For enterprises assessing how high a level of encryption they may need, McQuay said to look at what is reasonable for the information being safeguarded, as well as, what the competition is doing.
“If it’s personal health records, you’re going to want stronger encryption,” he said. “A good way to judge this is to go to business associations in your field and competing companies to look at what they are doing. If the privacy commissioner’s office has to investigate whether you have reasonable security measures, these are the places they will look at first.”
As for the average security professional, McQuay said the onus will fall on them to determine how significant a breach is and to ask the organization’s legal council on whether to notify the affected individuals. A few guidelines to consider, he said, is the sensitivity of the personal information, the medium and the format of the data, and the prospect of criminal activity or intentional wrongdoing in the data’s disappearance.
