Submission on Cyber Security

Submission to the National Cyber Security Directorate of Public Safety Canada

October 13, 2016

National Cyber Security Directorate
Public Safety Canada
13th Floor, 340 Laurier Avenue West
Ottawa, Ontario K1P 5K3
ps.cyberconsultation-consultationcyber.sp@canada.ca

Subject: Submission on Cyber Security

Dear Sir/Madam:

We would like to take this opportunity to provide comment on the privacy implications of Canada’s approach to Cyber Security as articulated in your department’s Call for Submissions on August 16, 2016, for your consultation on Security and Prosperity in the Digital Age.

By way of background, the mandate of the Office of the Privacy Commissioner of Canada (OPC) is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law, along with some aspects of Canada's anti-spam law (CASL). The OPC's mission is to protect and promote privacy rights of individuals.

Context

Privacy and cyber-security are very much interconnected. On one hand, challenges for cyber security are also challenges for privacy protection. Just as organizations must stay abreast of the latest cyber threats in order to protect their IT systems, so too must privacy officers if they are to adequately safeguard the personal information entrusted to them by their clients, customers and employees. On the other hand, cyber-security policy can also threaten privacy. Sometimes strategies put in place to combat cyber threats have the unintended consequence of infringing on people's privacy. There is a risk that cyber security strategies and activities result in surveillance regimes for unlimited and unending monitoring and analysis of the personal information of individuals.

In 2014, the OPC produced a research report which examines the common interests and tensions between privacy and cyber security. It explores how challenges for cyber security are also challenges for privacy and data protection, considers how cyber security policy can affect privacy, and notes how cyberspace governance and security is a global issue. Finally, it sets out key policy directions with a view to building privacy values into cyber security policy direction, encouraging legislative approaches that incentivize cyber security preparedness, generating dialogue on cyber security as an important element of online privacy protection.Footnote 1 The government’s consultation paper is a good step in the direction of encouraging such a dialogue.

We strongly urge the government to review our paper for a broader overview of the privacy implications. What follows below are comments (and links to relevant materials prepared by the OPC) in response to specific questions found in the consultation paper.

TREND #1: EVOLUTION OF THE CYBER THREAT

Theme 1.1: Addressing Cybercrime – Law Enforcement, public and private sector protections

When addressing cybercrime, law enforcement needs to be mindful of the implications of their activities on Canadians’ privacy. Privacy Impact Assessments (PIAs) are an important privacy risk reduction exercise and planning tool, and are required in certain circumstances under federal government policy. The PIA process helps determine whether government initiatives involving the use of personal information raise privacy risks; measures, describes and quantifies these risks; and proposes solutions to eliminate privacy risks or mitigate them to an acceptable level. Whether it is law enforcement addressing the growing challenges posed by cybercrime, or government institutions that hold large amounts of citizen and employee personal information, conducting PIAs will help ensure compliance with the Privacy Act, provide transparency to Canadians about how their personal information is treated by government, and ensure accountability for the use of personal information. For more information on PIAs, please refer to:

  • Expectations: A Guide for Submitting Privacy Impact Assessments to the Office of the Privacy Commissioner of Canada, 2011;Footnote 2
  • Top Ten Dos and Don’ts for Privacy Impact Assessments, 2016.Footnote 3

Under Canada’s private sector privacy laws, organizations are accountable for protecting the personal information under their control. They are responsible for identifying privacy-related obligations and risks and appropriately addressing them in developing their business models and related technologies and business practices and safeguards before they launch new products or services. They also need to minimize risks to their organization and to their employees and customers, as well as mitigate the effects of any privacy breaches. They do this by having an  evergreen privacy management program that encompasses these considerations on an ongoing basis.

The OPC has produced a number of publications aimed at helping organizations meet their accountability and security requirements as well as addressing specific privacy and security threats, including:

  • Getting Accountability Right with a Privacy Management Program;Footnote 4
  • Security Self-Assessment Tool;Footnote 5
  • Ten Tips for Reducing the Likelihood of a Privacy Breach, 2014;Footnote 6
  • Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization?, 2015;Footnote 7 and;
  • Electronic and digital payments and privacy.Footnote 8

An important development in Canada’s cyber security efforts was the passage in 2014 of Canada’s anti-spam legislation (CASL), which helps to protect Canadians’ personal information online. The OPC shares enforcement responsibilities for CASL with the CRTC and the Competition Bureau. Our role focuses on two types of violations:

  • the harvesting of electronic addresses, in which bulk lists of email addresses are compiled through mechanisms that include the use of computer programs to automatically mine the Internet for addresses, and;
  • the collection of personal information through illicit access to other people’s computer systems, primarily through means such as spyware.

The OPC’s spam-related public resources include:

  • Internet threats associated with spam, 2011;Footnote 9
  • A detailed guide for businesses doing e-marketing, 2015;Footnote 10 and;
  • Helpful tips for businesses doing e-marketing, 2015.Footnote 11

The OPC recently completed its first investigation under CASL against an entity called Compu-Finder.Footnote 12 The company did not have in place a privacy management program, which meant that they could not demonstrate that they had consent for the use of email addresses. They have since agreed to put such a program in place.

Putting in place safeguards to protect personal information against illegal activity such as malware and other types of fraud is not only a legislated requirement but also essential to preserving trust in Canada’s digital economy. Canada’s future economic growth depends on innovation and on having strong privacy and security frameworks in place to support citizens and organizations.

The Privacy Act, unlike PIPEDA, does not contain any requirements on government institutions to safeguard the personal information under their control. The OPC has made recommendations to Parliament to address this issue (among others) with a view to encourage the reform and modernization of the Act to address the evolution in technology and its use since the Act came into force in 1983.Footnote 13

Theme 1.2: Policing in Cyberspace

As far as public expectations go, regarding privacy and police investigations of internet activity, both polls and Courts in Canada have been very clear. They assert that privacy rights and freedoms protected by the Charter, what we enjoy as citizens in our daily offline lives, should carry over online. The Supreme Court of Canada made this clear in the 2014 case R. v. Spencer. In terms of police powers specifically, the investigative tools used online should carry the same safeguards, authorization thresholds, burdens of proof and minimization requirements as would their equivalents in offline search and seizure. The SCC in Spencer and other previous rulings have been quite consistent in this regard; as a society, we do not compromise protection of fundamental rights to make policing more convenient or expedite prosecution.

In March 2015, police were provided a suite of new tools under the Protecting Canadians from Online Crime Act (PCOCA). These included, among others, powers to trace electronic communications, track digital transactions, and order preservation of online evidence. It is incumbent upon government institutions to demonstrate the evidence of a serious issue and to explain how it would set about overcoming that investigative hurdle. On a final note, we think there are connections between the issues raised in this consultation paper and in the consultation on national security, launched shortly after this one. We will be providing further comments on law enforcement and national security agencies’ activities in the context of that consultation. We will be making our comments public.

Theme 1.3 Protecting Against Advanced Cyber Threats

In an environment where cyber attacks are a daily occurrence, one cannot overstate the importance of a comprehensive, overarching security framework to protect against unauthorized breaches of personal information. A recent investigationFootnote 14 by the OPC into a privacy breach of the adult dating website Ashley Madison revealed how crucial it is for organizations that hold personal information electronically to adopt clear and appropriate processes, procedures and systems to handle information security risks, supported by adequate expertise (internal or external). This is especially the case where the personal information held includes information of a sensitive nature that, if compromised, could cause significant reputational or other harms to the individuals affected. The OPC has reminded organizations holding sensitive personal information or a significant amount of personal information to have information security measures in place, including:

  • a security policy;
  • an explicit risk management process that addresses information security matters, drawing on adequate expertise; and;
  • adequate privacy and security training for all staff.

Mandatory data breach notification laws are an effective way of strengthening organizations’ accountability for protecting the personal information in their control and ensuring that adequate safeguards are in place. According to the 2016 CIGI-Ipsos Global Survey on Internet Security and Trust,Footnote 15 18 % of Canadians have been notified of a privacy breach. To date, the approach to data breach notification in Canada has not been consistent. Organizations are required to report breaches of health information in several provinces, including Ontario, New Brunswick and Newfoundland and Labrador. Private sector organizations are subject to mandatory breach notification under Alberta’s Personal Information Protection Act and will be under the federal PIPEDA.Footnote 16 Federal institutions subject to the Privacy Act are required under federal government policy to notify the Office of the Privacy Commissioner of Canada (OPC) and the Treasury Board of Canada Secretariat of all material privacy breaches and of the mitigation measures being implemented. The OPC has recommended that breach reporting be made a legal requirement under the Privacy Act.Footnote 17

Security is enhanced through mandatory breach notification as a picture emerges of security practices more broadly and allows for systemic issues to be identified and addressed.

There is also a leveling of the playing field for organizations in terms of enforcement. Having all organizations be subject to the same obligations avoids organizations unfairly being singled out when they proactively report breaches.

Theme 1.4: Increasing Public Engagement/Theme 2.1: Strengthening Consumer Confidence in e-Commerce

As part of our mandate to promote public awareness and understanding of privacy issues and privacy rights, the OPC regularly publishes a variety of educational resources for individuals. We believe that a great defence against a wide range of privacy risks, including unauthorized access to personal information, is individuals’ knowing their rights and making choices about what personal information to share, with whom, and for what purpose. For example, we have produced on best practices for protecting personal information, including:

  • Identity Theft and You, 2014;Footnote 18
  • 10 Tips for preventing identity theft, 2013;Footnote 19
  • Top 10 tips to protect your inbox, computer and mobile device, 2015.Footnote 20

The OPC also works diligently to educate individuals and organizations on the privacy implications of new technologies, government initiatives and business practices. In addition to internally produced research reports on topics which include dronesFootnote 21, and predictive analyticsFootnote 22, the OPC also funds independent research through the Contributions Program. The goal of the program is to generate new ideas, approaches and knowledge about privacy that organizations can apply to better safeguard personal information and that individual Canadians can use to make more informed decisions about protecting their privacy. Most recently, we funded research reports on such diverse subjects as the connected carFootnote 23 and the security of fitness trackers.Footnote 24

The OPC has also issued guidance (mentioned throughout this document) to help organizations do a better job of protecting personal information that they control. While individuals should take steps to be aware of risks and to protect themselves accordingly, it should not all rest on individuals to protect their personal information. Organizations must address these issues. Trust in the digital economy depends on it.

Conclusion

There is a growing need for cybersecurity and data protection collaboration in an increasingly borderless world. Your renewed approach to cyber security draws attention to the need for promotion and protection of freedoms online and the need for collaboration and coordination across jurisdictions. Against that backdrop, it is imperative that cyber security specialists and privacy protection authorities like the OPC, work even more closely together to improve defences in the public and private sectors, and ensure privacy protection is a guiding principle in cyber security efforts.Footnote 25 We welcome the opportunity to contribute to this dialogue.

Sincerely,

Original signed by

Daniel Therrien
Privacy Commissioner of Canada

Date modified: