Taking Risk Frameworks to the Next Level

Remarks at the Accountability Phase V: The Essential Elements and Assessing Risk Workshop

May 9, 2013
Toronto, Ontario

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)


How do we apprehend risk at the Office of the Privacy Commissioner of Canada?

I would like to react to the framework proposed by the Centre for Information Policy Leadership (CIPL) in three parts: first, I will make general comments on the assessment of accountability for managing risk, then I will apply the proposed CIPL framework to specific OPC files where data protection risk management was a central issue and finally I will draw some conclusion on the practicality of the framework in light of its juxtaposition to these concrete cases.

So first, my general comments.

The first one goes to the relevance of this framework: Risks have been changing so fundamentally and so rapidly that data holders don’t seem to be able to keep up.

  • In the public sector, the Canadian government just issued a report that numbered more than 3,000 data breaches over the past 10 years, affecting more than 725,000 Canadians – after an order paper question from an opposition MP forced the numbers out. That announcement was accompanied by another, describing enhanced safeguards.
  • In the private sector, our latest survey of businesses (in 2011) shows only 26% of respondents said they had policies or procedures in place to assess privacy risks related to their businesses (including assessing the privacy risks associated with the development or use of new products or technologies), and even those that do – or would be expected to – are showing a range of deficiencies from negligence to complacency.

So clearly, this framework is highly relevant to address a widespread issue.

My second comment relates to the identification of risk. The proposed framework includes, rightly so, both tangible and intangible risk, such as individual moral risks and risks to democratic values. Data holders tend to overlook intangible risks and allowing them would be losing the essence of the right to privacy.

For now, I will just underline the importance of not losing sight of moral risk by referring to Daniel Solove:

“. . . the problem with databases and the practices currently associated with them is that they disempower people. They make people vulnerable by stripping them of control over their personal information.” (Daniel Solove, The Digital Person: Technology and Privacy in the Information Age)

So how have risk management issues arisen and been dealt with at the OPC recently?

I will speak about private-sector cases because it is our focus today, but the risk management approach I will describe also applies to the public sector. I will use three examples on a gradation, so to speak, of least to greatest risk management failures to which I will apply the proposed CIPL framework.

The first I will refer to is the case of the Sony breach of 2011.

We learned from media reports that there had been a significant breach. We brought together technologists, lawyers and investigators to go on a fact finding mission: What happened? Were safeguards appropriate? Were there reasonable grounds to believe there was a violation of the Act?

Our technologists consulted publicly available sources as well as technologists from other DPAs. They found that Sony was already doing its own forensic investigation, that the matter had been put in the hands of law enforcement, that there were no reports of personal information such as financial information having been publicly exposed, and that credit card numbers were hashed, rather than encrypted. Still from publicly available sources, we found that individuals were merely encountering inconveniences and that policies and procedures were in place but not addressing 100% of threats. According to the CIPL framework, that would qualify the severity as negligible, and likelihood as limited.

Our legal analysis was that there was not enough evidence of improper risk management at that point to ground a Commissioner-initiated complaint. I know in the United Kingdom, the Information Commissioner’s Office chose otherwise but we felt monitoring events was the better approach.

The second case, in 2012, was the LinkedIn breach, where 6.5 million user passwords were stolen and posted online. Once again, we gathered technologists, investigators and lawyers. In this case though, the fact finding showed that there was public exposure of personal information and there were some risk management failings especially relating to safeguards. According to the CIPL framework that would qualify the severity as limited, and likelihood as significant.

Again, our legal position was that there were not sufficient grounds to initiate a complaint, but we couldn’t drop it either. With the BC, Alberta and Quebec Commissioners, we engaged in a structured dialogue with LinkedIn where, in confidence, they described exactly the situation in place before the breach as well as their breach response. The four Commissioners wrote a joint letter, making specific recommendations on data protection risk management. LinkedIn was found to be swift in their breach response, fully cooperated with our offices, and we consider the matter closed.

The third case I will mention is WhatsApp, involving one of the most popular smartphone messaging apps, downloaded and used by millions of subscribers around the world. We did not hear of any breach, but we became concerned about risk management in relation to data protection at WhatsApp. With respect to the primary issues revealed through our investigation: messages sent through the app were unencrypted, a person’s whole address book was required to be uploaded by WhatsApp, containing both users’ and non-users’ personal information, and user’s status updates were visible to all WhatsApp users—not just the user’s contacts.

In this case, according to the CIPL framework, the severity is at least significant, considering user location was broadly shared, and likelihood was at least significant, considering the lack of encryption of messages, the lack of clarity of the privacy policy and the retention of non-user data. We concluded there were sufficient grounds to investigate and we did so in coordination with the Dutch in the first ever international joint privacy investigation, which was concluded earlier this year. WhatsApp has started implementing our recommendations.

Then, on April 26, we were notified of the LivingSocial breach. We don’t know how we will deal with it yet, but we are applying the CIPL framework to structure our analysis.

III. Conclusions on the juxtaposition of the CIPL Risk Framework to the OPC’s positions

In short,

  • The Mapping structure corresponds to our assessment approach: where risk mapping score was highest, our level of intervention was highest; so from our point of view, the framework has practical relevance;
  • We chose to apply the mapping to our analysis of a recent breach to test it. So far, it has added structure and objectivity to our assessment of risk management.
  • There are two issues where the mapping could help us more:
    • First, it would help by integrating the moral, non-tangible risks, such as the risks to democratic values. This would apply to both the public and the private sector, in relation, for example, to what Daniel Solove calls the phenomenon of disempowerment that comes with the building and use of vast databases as well as in the context of Internet surveillance; to me that would be included in the Risk Mapping, under “severe” for severity, with modulations from negligible to severe in relation to likelihood depending upon the level of intrusion.
    • Second, the question remains open about the level of protection that can be expected against cyber-attacks; in the Sony case, we asked ourselves, in deciding how far to go, whether cyber-security was an obligation of result or an obligation of means. The technologists were very clear: it can only be, realistically, an obligation of means. We can only ask the organisation to do all it reasonably can do to protect the information. Yet, under “Likelihood”, the “Risk Map” does not provide for the situation where there was no failing of policies and procedures—just a very powerful attack. Under “negligible Likelihood”, the work=ding refer to “Threats to integrity or quality of data that appear to be “impossible or very remote”. Is that too high a standard? The fact is, cyber-security is really a misnomer for “cyber-resilience” and we need to envisage the situation where severity could be significant, even severe, while likelihood would show no weakness in risk management failure… Perhaps, we need either another category of risk akin to “force majeure” or “act of God”, to use liability law concepts, where likelihood would be level “0” or a preface that would exclude cases of “force majeure”.
  • That being said, in that sense, it offers a tool for consistency for regulators and a tool for compliance for business.
Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: