Appearance before the Standing Senate Committee on Banking, Trade and Commerce (BANC) on Study on issues and concerns pertaining to cyber security and cyber fraud

November 2, 2017
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you Chair and members of the Committee for the invitation to address the privacy issues related to cyber-security and cyber-fraud.

Canadians are concerned about the security of their personal information. According to our latest public opinion poll released in January, 92% of Canadians expressed concern about the protection of their privacy and a clear majority, (57%) were very concerned.Footnote 1

As more and more personal information is processed online, privacy protection increasingly relies on effective cyber security implementation by organizations to secure personal data.

Scope and Purpose of PIPEDA

The private sector carries significant responsibility for cyber security because it controls so much of the infrastructure and information in cyberspace.Footnote 2

The Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law, sets out the ground rules for how private-sector organizations collect, use, disclose and safeguard personal information in the course of commercial activities across Canada. It also applies to personal information of employees of federally-regulated organizations, such as banks, airlines, and telecommunications companies.

My Office also oversees compliance with certain aspects of Canada's anti-spam law (CASL), alongside the CRTC and the Competition Bureau.   

Cyber-attacks can impact organizations of all sizes, potentially leading to significant privacy breaches.  In the case of larger organizations, their substantial customer holdings may pose considerable interest for criminals.  But in today’s online economy, small and even micro organizations can also hold vast amounts of personal information, or may be particularly vulnerable because they can be targeted as a prelude to attacks on larger or partner organizations.  We are therefore aware that they may particularly need additional help, resources and oversight. 

Relevant Provisions of PIPEDA  

Under PIPEDA all organizations are accountable for protecting the personal information under their control, which includes identifying risks and implementing appropriate security safeguards to protect the data they collect. 

My office receives a considerable number of breach reports under PIPEDA. Since the adoption of the Digital Privacy Act in 2015 the volume doubled, and has stayed at that higher level for the past 2 years.  Once mandatory breach reporting comes into force we can expect that number to increase significantly. 

Such a volume increase will place even greater pressure on our office’s already stretched breach oversight capacity.  Currently, our capacity is largely limited to examining only the most significant and complex breaches that come to our attention such as, Equifax, WADA, Ashley Madison, and the Phoenix pay system. 

The mandatory data breach reporting regulations for the private sector, although not as extensive as we would have hoped, will be an important instrument for improving security practices of organizations by having all organizations subject to the same obligations.  That said, we have made some recommendations to the Government on some areas in which we believe the draft Regulations are deficient.  These include:

  • Ensuring the content of breach reports provide the information necessary to assess the quality of safeguards, and an assessment of the risk of harm;
  • Clarifying the record keeping requirements for organizations.

This information is critical - it provides baseline data so that trends can be identified and systemic issues can be addressed, allowing for effective oversight.  

The Digital Privacy Act also resulted in a number of significant amendments to PIPEDA – most importantly with the introduction of mandatory breach reporting. It also included a number of amendments which allow for the disclosure of personal information in certain circumstances where the intent is to combat and prevent fraud and financial abuse.Footnote 3

Privacy Act and Mandatory Breach Reporting

Unlike PIPEDA, the Privacy Act does not impose any legislative requirements on government institutions to safeguard the personal information under their control.  Organizations are required by Treasury Board Policy to report material breaches to my Office, however, we have seen a significant disparity in the breach reporting practices of government institutions.  For instance, last year we noticed a 50% reduction in the number of breaches reported, and are in the process of inquiring into the causes of this by reaching out to institutions.

We have also recommended to Parliament that the Privacy Act be amended to place a specific legal obligation on federal government institutions to report material privacy breaches to our Office, and to create an explicit requirement for institutions to safeguard personal information with appropriate physical, organizational and technological measures commensurate with the level of sensitivity of the data. 

It should also be noted that there are extensive standards, directives and policies outlining requirements for government institutions on IT security as well as privacy.  The reality however, is that limited resources across government can lead to hasty implementation of new systems without sufficient attention to technical and organizational safeguards.

We know from recent reports that there are thousands of attacks each year on Government of Canada IT systems.  Fortunately, organizations, such as the Communications Security Establishment (CSE) have been successful at thwarting the vast majority of these attacks.  However, when breaches do occur as a result of insufficient safeguards, there can be very real impacts on privacy. 

This is why the OPC has a role in this context along with the cyber security specialists.  We can contribute by ensuring that organizations implement both security and privacy ‘by design’ so risks to individuals are adequately mitigated, and encouraging them to be more transparent when things go wrong.

Privacy and Security

When we are protecting cyberspace – the information that resides in it and the infrastructure on which it rests – we are in part protecting people's personal information.  This is why I want to emphasize that in the context of data protection, the joint objectives of privacy and security are not at odds, although the relationship is not always a harmonious one. 

In an environment where cyber-threats are a persistent and global occurrence, and are increasingly sophisticated, there is clearly a need for the government and private sector to share information about vulnerable IT systems in a timely way. 

An example of this stems from the proposed amendments in Bill C-59, which calls for CSE to have a role in sharing cyber security information with other organizations.  According to the proposed amendments, this information may include intercepted private communications, depending on the context of the sharing. 

Protecting cyber-infrastructure can require up-to-the-second monitoring of all activities on a network in order to detect anomalies and threats.  In some cases, monitoring of this nature could involve capture and analysis of massive amounts of personal information.  We recognize that the collection of all this data is necessary to effectively monitor networks, but it is equally important to ensure that the retention, use, and sharing of personal information is appropriately limited. 

Partnerships and Education

I would agree with the statements the Committee has heard about how to effectively address the challenges of cyber security – which include partnerships and education.  Education is a key focus for the OPC under our PIPEDA mandate, and we are focusing our outreach efforts on small businesses, given the resource limitations for many of these companies. 

The OPC has also been an active participant in the development of standards on cyber-related topics with the International Organization for Standardization (ISO) specifically on topics such as identity and access management, and codes of practice for protection of personal information generally and one specifically for use of public clouds.  We continue to provide input into emerging ISO standards on de-identification, the internet of things, artificial intelligence and blockchain technology.

Our new “Privacy Tech-Know Blog” tries to demystify cyber security and other information technology issues for the public.  Our most recent posts covered topics such as ransomware and virtual private networks, and upcoming posts help explain encryption and blockchain/distributed ledger technology.  In 2014, we produced a research report on Cyber Security to generate dialogue on cyber security as an important element of online privacy protection.

This year the OPC is particularly interested in funding independent research or knowledge translation projects through our Contributions Program that aim to promote the development and adoption of Privacy Enhancing Technologies (PETs). 

Conclusion

Canadians expect a high-level of protection and trust in our digital economy.  Against that backdrop, it is imperative that cyber security specialists and data protection authorities like the OPC work even more closely together to improve the defences of our cyber infrastructure, and ensure privacy protection is a guiding principle in cyber security efforts. 

Thank you for inviting me to provide this Committee with comment – and I look forward to your questions.

Date modified: