You Might be Interested In

An Office of the Privacy Commissioner of Canada (OPC) survey of 1,006 companies across Canada shows that many businesses are not employing recommended technological tools or practices to protect the digitally-stored personal information of their customers.

For example, the survey found that while the vast majority of companies are using passwords to protect personal information stored on digital devices, many do not ensure that passwords are difficult to guess or that their employees change them regularly—two practices that can really help thwart online criminals.

The survey also showed that almost 50% of companies that store personal information on portable devices like laptops, USB sticks, and tablets do not use encryption to protect the information on these devices—despite the fact that these types of devices are far more likely to be misplaced, lost or stolen.

While the survey did find that many Canadian companies recognize the importance of protecting privacy, it is vitally important that businesses take the time to get it right—for their customers and for their own survival. Businesses that jeopardize personal information, risk losing their customers’ trust and their business.  

The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website.

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

A report by Verizon highlights some extremely troubling trends about the types of data breaches occurring around the globe and also how organizations of all sizes are failing to adequately respond to new threats.

Verizon studied 855 breaches in 2011 involving organizations in 36 countries and compromising over 174 million records. Those figures are alarming in themselves.  But just as concerning are some of the statistics drawn from an analysis of these incidents.  Consider:

• 98 percent of breaches examined in the report stemmed from external agents, notably organized criminals, but also an increasing number of activist groups.  Meanwhile, only 4 percent of breaches involved internal employees.
• Hacking was linked to the vast majority of incidents – 81 percent.  As well, increasingly invasive malware was used in 69 percent of the breaches.
• Most breaches were avoidable, with Verizon’s experts concluding that 96 percent of the attacks were not highly sophisticated.
• Almost all of the firms involved – 96 percent – were non-compliant with the Payment Card Industry Data Security Standard.
• Organizations also seemingly had trouble detecting breaches – 92 percent of incidents were discovered by a third party; and typically only weeks or months after the breach occurred.

The report is eminently readable and even occasionally funny (who knew there was a “Sesame Street” method of detecting data breaches).

It also includes a point-of-sale security tip sheet that anyone can cut out and distribute to the stores, restaurants and other businesses they frequent. There are more detailed mitigation strategies at the end of the report.

The report raises some fundamental questions about whether organizations – despite all the warnings and growing evidence of the risks – are taking data protection responsibilities and security standards seriously.

A recently released study has given further evidence to the link between privacy and personal information protection and consumer confidence.

The Edelman study  released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations.  For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information.  An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.

It’s hardly surprising that consumers are nervous.  Stories about privacy and security flaws and breaches abound in the media these days.  From flaws in mobile applications, retroactive release of archives for marketing, service amalgamation and data breaches, users are constantly confronted with evidence that their personal information is at risk.  Lack of transparency on the part of organizations and consumer discomfort with cross-border data traffic, outsourcing and cloud storage only further exacerbate the issue.

This challenge to trust appears to correlate to an increased willingness on the part of consumers to invest in their privacy.  Where a 2009 study concluded that consumers were unwilling to pay extra for privacy, recent research from the European Network and Information Security Agency (ENISA) finds that individuals weigh security and privacy considerations as heavily as those relating to a product’s design, style, and physical dimensions. All other things being equal, the study discovered that consumers were willing to pay a higher price in order to protect their privacy. 

Investing in privacy is not the only way that consumer concerns are indicated – the Edelman data also shows nearly 50% of participants either leaving or avoiding companies that have suffered a security breach.  Following a data breach suffered by an organization with whom they’re already involved, up to 70% of those surveyed expressed willingness to terminate a relationship or switch providers. 

Findings like this should be a wake-up call for organizations, an indicator that it is no longer enough to “manage” security and privacy concerns. Instead, privacy and security need to be prioritized and strengthened to the point where they can be made key parts of branding and corporate identity.   Consumer confidence is key, and reliant upon trust. And new evidence increasingly shows that privacy is not only good business – it’s good for business.

We’re launching our 2010 My Privacy & Me Video Contest for 12-18-year-olds – and the first-place winners will win an iPad!

It’s the same thing this year – but a little different, too! Again, we’re asking them to create their own public service announcements about privacy. But this year, we’d like the videos to fall into one of four categories: Surveillance; Reputation Management; Targeted Advertising; or Online Scams. You can find all contest details here.

This year, teams can consist of one to three people. First-place winners in each category will win an iPad. Second-place winners will win a $200 gift card; and third-place winners will win a $100 gift card. We’ve recognized top-participating schools and teachers in the past, and we have something in store for them in 2010! The deadline is December 10, 2010.

For inspiration, sit down with your young ones and watch the 2009 winning videos. Then, have them start exercising their video-making muscles – we can’t wait to see what they’ve got!

On Data Privacy 2010 we’d like to take a moment to remind everyone that is the responsibility of both individuals and companies to make sure that personal information is safe.

If you own a company, or work for a big one: in the past, you may have had to ensure that your customers’ name and address information (and in some cases credit card and billing information) were safe. Now, many of you are providing technology and tools for your customers to put increasing amounts of personal information online. Does your company have the systems in place to safeguard this information? Do you give your customers the tools and options to control how their information is used?

If you are a user of new and cool technology: in the past a telephone was a telephone, a video game was a video game, a stuffed toy was simply that – a stuffed toy. Today, more and more toys and handheld tools come with the ability to go online. Do you understand how to enjoy your toys and gadgets without putting your personal information at risk?

If you are a parent or guardian, teacher, coach or caregiver: do the young people in your life understand how to use all these new toys and gadgets while keeping their personal information safe? Our office has recently made youth privacy a key priority. Today, we have posted some new resources to the Parents & Teachers section of our youth web site. The resources include information on 12 privacy issues (such as the importance of privacy settings and knowing who your friends are on social networking sites), along with ideas for generating discussion about each issue with young people. You can use these resources to start discussion about personal privacy and the importance of thinking about what you post on the Internet.

Regardless of which group you are in – if you need any information about how to keep personal information secure, visit our web sites – priv.gc.ca and youthprivacy.ca.

A question that occupies a lot of our time in the office is why, despite growing research that clearly shows that privacy is important to Canadians, do many of us give out our personal information to anyone who asks? While we know privacy is important to people, they still trade personal information for just about anything – from a “free” service to a chance to win something. Why does what we say is important to us often not translate to our observable behaviour? Where does this disconnect happen?

To cast a bit of light on this conundrum, an offshoot of economics may offer some insight. Behavioural economics integrates psychology into classical economic theory to look at why we make decisions and to better understand and predict our choices. It views the individual not as not just one self but as a collection of selves that have different preferences at different points in time. The notion that humans are rational decision makers running around maximizing their utility flies right out the window with these folks. Instead, our behaviour is seen as more complex and dynamic.

An interesting sub-theory within behavioural economics is time inconsistency, which basically says is that we often exhibit a “present bias” – we place more “value” on the present than on the future. Bringing this into the realm of privacy, parting with some personal information now to sign up for free social networking site is more valuable to us in the moment than the overall state of our privacy in the future – say ten years from now. The result is that even though we believe our privacy to be important and something to be safeguarded, we continue to make choices now that negatively affect the future. We lose sight that what is optimal now, may not be optimal later.

Time inconsistency gained some attention a few months back when Google Labs released a new feature called “Mail Goggles”. Effectively a drunk dialing early warning system, when the feature is turned on you can not send an email late at night on the weekend until you answer some math questions first. In a fun and simple way, Google has capitalized on the concept of time inconsistency – giving us control now over our future (and potentially embarrassing) behaviour. Mail Goggles allows us to “pre-commit” in the present to not doing something detrimental later.

So what does all this have to do with privacy? Well, it can help us think about how we can use time inconsistency to promote privacy-protecting behaviour. Maybe we mandate that an irritating tone be installed in all computers, a tone that goes off each time you seem to compromise your privacy online, for example.

All kidding aside, we figure if Google can help us avoid the humiliation of a drunk dial by incorporating some lessons from behavioural economics, surely the discipline’s potential for privacy protection is worth an extended look.

To commemorate Data Privacy Day today, we offer up our latest Top Ten list…The Top 10 Ways Your Privacy is Threatened:

10. Surveillance cameras, swipe cards, Internet searches – as you go about your daily routine you actually leave a trail of data behind you for others to collect, merge, analyze and even sell, often without your knowledge or consent.

9. New and exciting technologies are emerging daily; but often your personal information is the cost of admission. Think about the information you have surrendered just to play online games, join virtual worlds, or even shop online.

8. Millions of people post all sorts of personal information about themselves, their family and their friends on social networking sites without reviewing the privacy policies, modifying the privacy settings, or considering how this information can be used or misused by others.

7. Governments are indiscriminately collecting mountains of personal data in the name of national security and public safety.

6. Businesses are collecting more and more information about an ever-greater number of people, often without having appropriate means to protect the information or dispose of it.

5. Data breaches happen every day in both the public and private sectors. Recent incidents have exposed the personal information of millions of people. In fact, you could already have been one of those people, but due to the lack of mandatory breach reporting laws in Canada, you may never even be informed.

4. Fraudsters have become extremely devious and technologically savvy. From the other side of the planet, they can steal your personal information. These days, you need to shred documents, protect your computer, watch out for fraudulent e-mails, be on guard against pretexting and much more.

3. Identity theft, which is fuelled by excessive personal information collection and failure to protect it, is rampant – and it is becoming a very lucrative business for criminals.

2. We live in a global society where information flows freely around the world – from person to person; jurisdiction to jurisdiction; public sector to private sector – and all privacy protection laws are not created equal.

1. The notion that “if you have nothing to hide, you have nothing to fear”. Privacy is an essential freedom that shapes our society; an internationally recognized human right; and the foundation of modern democracy – but if we don’t value our privacy or stand up for it as our right, it will be eroded over time.

What are you doing to take note of Data Privacy Day? Check out our Data Privacy Day page for new information and material demonstrating the importance of data privacy issues and encouraging people to become better guardians of their own personal information. And be sure to share with us how you protect your personal information for a chance to win one of our T-shirts!

In 2000, this 15-year-old hacker brought down some of the most heavily visited websites on the net: Amazon, eBay, CNN, Yahoo!. At the time, reports claimed the hack caused a billion dollars’ worth of damage to these companies.

Since that time, cybercrime has become big business, with some reports suggesting it’s on par with or bigger than the illicit drug trade. Identity theft features prominently in this underground frontier, with credit card information and entire identities up for sale by the thousands.

Tonight, CBC is airing Web Warriors, a one-hour documentary with an exclusive look at the world of hackers, and the cyber-sleuths who pursue them. If you miss it on TV, the entire documentary is available on CBC’s site as well.

And on the subject of teenage hackers, we’d like to point you towards Little Brother, the novel for young adults by BoingBoing blog coeditor Cory Doctorow. Little Brother takes place in the not-so-distant future where a group of teens use technology to protest the ever-increasing government surveillance around them. It’s a story that looks at hacking, jamming and surveillance, and offers insight into the privacy vs. security debate…all through the eyes of a 17-year-old.

On July 3, 2008 the Office of the Privacy Commissioner of Canada announced the results of a public opinion study we commissioned on the personal information customers hand over (or refuse to) to retailers.  According to the results, more than half of Canadians said that they were apprehensive about giving their personal information to retailers, citing concerns over security issues, identity theft and fraud.

The growing concern about disclosing their personal information is understandable given the rise in privacy breaches over the last year (as seen here and here).

In a speech this summer, Commissioner Stoddart noted that while a greater number of companies were voluntarily reporting breaches to the OPC, “it’s clear we still aren’t hearing about every breach which could have a harmful impact on people.”

In a different speech delivered to the Canadian Bar Association Legal Conference and Expo last month, Commissioner Stoddart spoke about her support for mandatory breach notification:

“I am a strong supporter of mandatory notification. By every measure I’ve seen, breaches are a growing problem. Despite the clear risks, we continue to see too many organizations – large and small – underestimating the need to protect personal information. This results in deficient privacy and security safeguards – and, not surprisingly, data spills.”

She also took the opportunity to provide an update on potential amendments to the Protection of Personal Information and Electronic Documents Act (PIPEDA), Canada’s private sector privacy legislation.  One of the anticipated amendments is a formal requirement to provide breach notification.

As an election has been called for this October, the proposed amendments to PIPEDA are now on the backburner until a new Parliament convenes.

Despite the election call, interest in privacy rights and the future of our privacy legislation remains high. Continued interest and engagement by Canadians reminds us that individuals have a high degree of expectation that privacy rights should be respected and safeguarded.

No doubt, progress on privacy legislation will be keenly followed by individuals, government, academics, privacy advocates and civil society as the next Parliament gets underway.

Today, we issued a news release celebrating Data Privacy Day, an initiative of the International Association of Privacy Professionals. In that release we made the assertion that  “We have seen a proliferation of identity theft and spam as well as a tripling of reported data breaches around the world last year” – based on an analysis of data breaches first reported in USA Today, and similar reporting by the Associated Press.

“Dissent,” who blogs at pogowasright, contacted me to question that analysis. Dissent’s dissection of the claim that breaches have tripled can be found here and here. His/her email suggested that maybe we were thinking of the records revealed as a result of breaches?

I think we can all agree it is hard to track whether a data breach has occured, unless it is then reported in the media.  Dissent’s analysis seems to make sense.

At the Office of the Privacy Commissioner, however, we are certain that there were a number of remarkable data breaches in 2007 – in Canada and abroad.

Whether we are talking about breaches themselves or the records they revealed, there were millions of personal records exposed because of poor record handling, inadequate security, lax staff procedures and disregard for privacy agreements.

And that has to change.

But we still appreciate Dissent for paying close attention. We need more like him/her.