Balancing Privacy with Cyber Security
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Remarks at the Conference Board of Canada's Cyber Security: Proactive Defence of Critical Systems and Information Conference
November 6, 2008
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Good afternoon and thank you to the Conference Board for asking me to be here with you today.
I’m pleased to be receiving an increasing number of invitations to speak at cyber security conferences. There are a number of areas where security and privacy intersect, and yet – until quite recently – experts in these two domains had not been exchanging ideas in a meaningful way.
It seems to me that the privacy community has more recently come to the realization that we need a far better understanding of security issues. We’ve gained a better appreciation for security’s critical importance following a number of major data breaches – including some that were the handiwork of cyber criminals.
Over the last several years, we have seen an extremely important development for both the privacy and security worlds: Thieves have increasingly come to recognize that they can make a lot of money by stealing names, birthdates, credit cards and other personal information.
Around the world, cyber crime has become a $105 billion dollar business, according to David DeWalt, CEO of the security technology company McAfee Inc. That’s bigger than the international illegal drug trade!
Apparently, cyberspace’s crooks see opportunities everywhere…
While the rest of us have been worried about economic doom and gloom and our dwindling RRSPs, the online bad guys have been busy taking advantage of financial market upheavals. The U.S. Federal Trade Commission recently warned that scammers – well aware of the mortgage crisis – have been sending phishing e-mails designed to look as if they were from a financial institution that had recently acquired a consumer’s bank or mortgage.
The Privacy-Security Intersect
Our shared goal of better data protection will be easier to achieve if our two communities work together by exchanging information and ideas – and jointly push for an effective and comprehensive Canadian plan on cyber security.
Security and privacy intersect across a wide range of issues, including: law enforcement and national security, in e-commerce and telecommunications, and, of course, the protection of personal information.
At times – and I note you’ve just finished a discussion on lawful access issues – there are tensions between the privacy and security worlds. But we also have important common goals and interests.
This afternoon, I’d like to share some thoughts on this interplay. I also want wto propose some ways in which we can work together to better address cyber threats.
Perhaps the best place to start off an examination of the privacy-security intersect is where the last plenary left off – looking at privacy issues in the context of cyber security law enforcement and lawful access.
As you know, “lawful access” – potential changes that would make it easier for police to get customers’ personal information from Internet service providers and phone companies without first seeking a court order – is something the federal government has been looking at for some time.
A key driver behind attempts to update lawful access provisions is the 2001 European Union Convention on Cybercrime, which Canada has signed but has not yet ratified. Some 23 countries in Europe as well as the United States have ratified the convention.
Law enforcement agencies have complained that some companies have declined – in the absence of a warrant – to provide customer information such as name, address and telephone number, or their Internet equivalents. They argue this can be a stumbling block at the early stages of an investigation.
However, to date, we have not seen a compelling case – one based on empirical evidence – that the inability to access such private information in a timely way has created serious problems for law enforcement and national security agencies.
We are opposed to forcing companies to provide this kind of information when law enforcement and national security agencies demand it but do not have a warrant.
Many people consider the personal information in question to be private – they pay extra for unlisted numbers and share cell phone numbers only with friends and family. And a great attraction of the Internet is that you can remain anonymous.
Under PIPEDA, if a government institution requests this kind of personal information, indicates its lawful authority for doing so, and confirms that the request is for the purpose of enforcing a law or investigating a crime, the organization can provide the requested information without being in violation of the legislation.
For law enforcement, this simply means that – to the extent they had the authority to request this kind of information before PIPEDA came into force – PIPEDA does not interfere with that authority; nor does it constitute a new source of authority or a shortcut for obtaining information without a warrant.
A couple of recent criminal law decisions in Ontario may indicate a need for clarification in this area. For some in the law enforcement community, it appears that making a “PIPEDA Request” has been mistakenly adopted as an alternative to obtaining a warrant in circumstances where a warrant would otherwise be required. My Office will continue to monitor these kinds of cases and will work with law enforcement and Internet service providers to clarify the appropriate role of PIPEDA in this context.
The federal government has held a few public consultations on this issue. We’ll be closely following any further developments.
Heightened national security concerns following the terrorist attacks of September 2001 have led to many new initiatives involving the collection of more and more personal information.
Some are raising significant questions for human rights….
- Anti-money laundering and terrorist financing legislation requires banks, jewelers, real estate agents, lawyers, stock brokers, and casino employees to report certain information to government – money transfers over $10,000, for example – but also to tell government about clients involved in transactions they judge to be suspicious.
- Under a security pilot project at Kelowna’s airport, travelers are being asked to stand in front of scanners that can see through clothing and generate an image of an essentially naked body.
- The no-fly list, meanwhile, has impacts for privacy and related rights such as freedom of association and mobility. The list is assembled based on personal information that is secret, and individuals cannot find out in advance if their names are on the list.
I can appreciate the underlying aim of security programs. We all want to be safe! However, I question the approach, efficacy, efficiency or proportionality of certain initiatives. The nets being designed to catch criminals and terrorists often seem overly wide.
Online Privacy-Security Intersect
The online world raises many other privacy and security issues where we share very similar views.
Previous speakers have examined in detail how online threats are evolving and becoming more sophisticated and more targeted. We will need a comprehensive response to deal with threats such as identity theft, spam and data breaches.
During the last Parliamentary session, the federal government introduced legislation to amend the Criminal Code in order to tackle identity theft.
The bill was an important first step. It created new offences related to obtaining, possessing and trafficking in identity documents or identity information. Identity thieves would face the possibility of reimbursing their victims for costs incurred as a result of the fraud.
But we can’t stop there. My Office will continue to urge the government to develop a broad-based identity fraud strategy.
While several federal departments and agencies are interested in identity theft, their efforts have thus far not resulted in a concerted strategy for dealing with the problem. I’ve proposed the federal government create a clearinghouse or task force that would play a coordinating role.
Transborder cooperation between enforcement authorities should be a central element of the strategy. Identity theft is a crime that knows no borders – cyber thieves currently exploit jurisdictional law enforcement challenges.
Another important piece of the cyber security puzzle is anti-spam legislation. Canada is the only G-8 country without such legislation – despite the fact this was the key recommendation of a special federal Task Force on Spam.
As anyone with an e-mail address knows, spam is proving difficult to deal with effectively. Spam has financial consequences for our economy; it affects productivity and undermines confidence in electronic commerce. It is often used by identity thieves to launch "phishing" attacks – the most recent preying on mortgage foreclosure fears.
I urge you to join me in reminding our new Industry Minister, Tony Clement, that Canada needs anti-spam legislation.
I’ve talked about a couple of key areas where the federal government needs to show leadership. But organizations also have a major role to play – and this is another place where stronger privacy-security joint efforts could be extremely helpful.
By every measure I’ve seen, data breaches are increasing. And some of the bigger spills – TJX, for example – have involved cyber criminals.
A key reason for breaches is that businesses are underestimating the risk a breach will happen to them.
We find this attitude not only in small companies, but also major corporations.
In our investigation of TJX – owner of Winners and HomeSense stores – we found the retail giant was using an encryption technology widely known to be inadequate. Company executives apparently decided to take the risk – their plan to switch to a better technology compliant was moving along at a turtle’s pace. We all know how that turned out.
TJX argued it was only doing what many other organizations were doing. Indeed, we learned many major retailers were not compliant with Payment Card Industry standards, though this is improving in the wake of TJX.
I have no doubt that those of you in the security business appreciate the growing risk posed by cyber criminals. But getting security right usually requires convincing others less intimately involved with personal data protection that there is a real threat and it is worth investing in security.
Gartner, the US-based IT research company, says a company with 10,000 or more customer accounts can spend – in the first year – as little as $6 dollars per account for data encryption alone, or up to $16 for data encryption, host-based intrusion prevention and security audits. Compare that with Gartner’s estimate of a cost of at least $90 per compromised account. A Ponemon Institute study suggested the per-account cost after a data breach is closer to $200.
The cost-benefit analysis becomes pretty easy!
To organizations weighing data breach risks with the cost of good security, I would also point out that adequately protecting personal information is the law in Canada. It is not optional.
Strong security systems are only part of the answer. Many of the other important lessons to be drawn from the TJX breach reinforce some of the “golden rules” of privacy protection – limiting the collection, use, disclosure and retention of personal information and using appropriate security safeguards. Following these fair information principles can enhance security and dramatically reduce the risk of a data breach.
The first steps of implementing fair information principles involve critically examining the personal information you are collecting and then not collecting what you don’t absolutely need. A Wall Street Journal blog recently noted that the payment card industry’s new mantra is: “If you don’t need it, don’t store it.” To this, I would add: If personal information is needed, recognize its value and protect it properly.
Cyber thieves can’t steal personal information if you don’t collect it in the first place. And they’re far less likely to have the opportunity to steal it if you don’t keep it for a long time.
One last point about preventing breaches: Regularly train employees about privacy and security policies. It’s frustrating to see so many breaches occurring because someone has ignored existing policies.
I expect that in the near future we will see an important new incentive for organizations contemplating security expenses: mandatory data breach reporting.
As I’m sure you’ve heard, the federal government has been working on legislation obliging companies to tell people when there is a data spill that raises a “substantial risk of significant harm.”
Richard Simpson, who has been spearheading Industry Canada’s work on breach notification, will no doubt share more details of planned changes after lunch. I am generally happy with the direction Industry Canada is taking.
In the absence of legislation requiring notification, my Office – in consultation with industry and consumer groups – developed voluntary breach guidelines last year. They’ve also been adopted in New Zealand.
The trouble with the voluntary guidelines is that they are voluntary! While we’ve seen an increase in voluntary breach report since publishing the guidelines last year, it’s clear we are not hearing about all data spills.
Mandatory reporting will mean everyone is playing by the same rules. It will also provide us with important information about how breaches are occurring and how to prevent them. Breach notification requirements are the way many countries in the world are headed.
I would appreciate your support for the move to compulsory reporting.
A Cyber Security Strategy
I’ve covered a lot of ground in a short time. I think it’s clear from just about everything that has been said at this conference that cyber security is an incredibly complex problem with no simple solution.
Going forward, I believe that what Canada needs is a comprehensive national strategy to respond to the growing cyber threat challenge.
This is something the federal government has been talking about for a number of years. A recent media report suggested we’ll be seeing the details of a cyber security strategy in the next few months. My Office looks forward to taking part in subsequent consultations.
A number of other countries already have cyber security strategies in place, including the United States, Australia, the United Kingdom, and … Estonia. (The Baltic nation’s new strategy was prompted by a series of denial-of-service attacks which shut down local ISPs and prevented Estonians from banking or buying essentials such as food and gas for a number of days.)
A cyber security strategy can help bring diverse players together. It can be the launching point for creative strategies and avant-garde legislation.
In recent months, for example, we have seen some very interesting legislative developments in the United States.
Massachusetts and Nevada have adopted laws that will require businesses collecting personal information about state residents to encrypt sensitive data stored on portable devices such as laptops, Blackberries and cell phones.
At a national level, President Bush last month signed into law a bill aimed at making it easier for prosecutors to go after cyber crooks.
The U.S. has also adopted a “Red Flags” Rule – new requirements for financial institutions and other creditors to adopt identity theft policies. Organizations must have policies on spotting patterns or activities that could indicate identity theft. They also need a plan for responding to such red flags.
While other countries have taken action, Canada is still talking about taking action. We need to move on these issues quickly.
The International Picture
Another critical component to making headway against cyber crime is international cooperation. Given the global nature of the problem, we need global solutions.
The Organisation for Economic Cooperation and Development (OECD) has being playing a very important role in developing global solutions to privacy and security issues. I’ve been honoured to play a significant role in the OECD Working Party on Information Security and Privacy. The work of this group is essential to trying to ensure that the global flows of information that are the lifeblood of the Internet economy are adequately protected.
We are making progress on the 1998 OECD ministerial resolution to build bridges between the different approaches of member countries in order to ensure privacy protection on global networks. The OECD Recommendation on Cross-border Privacy Co-operation adopted last year was a positive step, but further work is needed.
Asia Pacific Economic Cooperation (APEC), meanwhile, is implementing the APEC Privacy Framework, which provides clear guidance and direction to businesses in APEC member economies on common privacy issues.
I hope I will leave you with a strong sense of how the privacy and security communities really are working towards the same ends in many areas. We will get there faster by working together.
Earlier, I mentioned the TJX breach as an example of a security failure with a significant impact for personal information. But we can also draw a very positive lesson from this incident.
In the wake of the breach, TJX officials recognized that they can enhance data protection going forward by ensuring a close connection between security and privacy.
TJX has appointed a Chief Privacy Officer. It also created a new information management steering committee and was developing a companywide information privacy and security program.
This is a telling example of how privacy and security issues can be jointly addressed at an organizational level.
Security and privacy also need to work hand in hand on broader industry issues.
By looking for common ground and jointly searching for solutions, we can make real headway on cyber security. Hopefully, Canada’s cyber security strategy will create an appropriate framework for this kind of cooperation.
The bad guys of cyberspace are a few steps ahead of us. To overtake them, we need to continue to work together. A privacy/security partnership will go a long way in dealing with emerging threats in the online world.
- Date modified: