Facing the breach: Privacy and security as an ecosystem

Remarks at the Maritime Access and Privacy Conference 2013

June 18, 2013
Halifax, Nova Scotia

Address by Chantal Bernier
Assistant Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

The topic I wish to address today is the issue of privacy breaches in the public sector, from the unique point of view of the federal Office of the Privacy Commissioner.

More specifically, I will aim to situate privacy breaches in the wider information security ecosystem.

Such is the case for the information security ecosystem in which personal information resides in the public sector.

My objective today is to demonstrate that adopting a holistic, ecological view of information security in the public sector is critical to protecting personal information before a breach occurs, and to reacting appropriately to breaches when they do occur—whether as a regulator or as an institution.

The three specific points I will address today are:

• The specific governance structure at the federal government;
• An inventory of the various threats to personal information protection and basic risk assessment and mitigation strategies to counteract these risks; and
• How all of this translates into our work at the Office of the Privacy Commissioner of Canada.

I. The Specific Governance Structure at the Federal Government

The first relevant point for this discussion on privacy and security in the public sector is the governance structure around personal information in the federal government—an ecosystem onto itself.

There are three basic components to this governance structure:

• Heads of government institutions, who have specific obligations under the Privacy Act with regard to collection, retention, disposal and protection of personal information, and with regard to access to personal information;
• The Treasury Board Secretariat, who is responsible for providing guidance to departments on how to fulfil their obligations under the Privacy Act; and
• The Office of the Privacy Commissioner, who is responsible for overseeing compliance with the Privacy Act.

Let me start with our own role to then move on to how we interact with government institutions.

Who we are: An Agent of Parliament

The Privacy Commissioner of Canada is one of seven Agents of Parliament (along with the Auditor General, the Chief Electoral Officer, the Commissioner of Official Languages, the Information Commissioner, the Public Sector Integrity Commissioner and the Commissioner of Lobbying).

These seven offices do not report to the government, but rather to the whole of Parliament. These offices are in a nutshell “the guardians of values that transcend the political objectives and partisan debates of the day,” to borrow from the very eloquent Commissioner of Official Languages, Graham Fraser.

What we do: Enforce the Privacy Act

Our role is to enforce federal privacy legislation: the Privacy Act, which covers some 250 federal public sector organizations, and the Personal Information Protection and Electronic Documents Act, or PIPEDA, which covers a good portion of the commercial activity conducted in Canada. My remarks today will be focussed on our public-sector work under the Privacy Act.

We carry out work on behalf of Parliament, and are accountable to Parliament. Therefore, we do not take direction from the government through the Privy Council Office or the Treasury Board Secretariat—nor is our primary role to provide guidance to departments the way a central agency would. We do issue guidance documents, fact sheets, interpretive bulletins and the like, mostly to fulfil our public education mandate under PIPEDA.

How we do it: Investigations, audits, PIA reviews and advice to Parliament

We enforce the Privacy Act by investigating complaints. We accepted just under a thousand complaints [986] under the Privacy Act in the last fiscal year. We also conduct audits into systemic issues.

We also review Privacy Impact Assessments prepared by departments and agencies about programs that involve the collection, use, communication or disposal of personal information. The PIA process is governed by the Treasury Board Directive on Privacy Impact Assessments.

And finally, we provide advice to Parliament on legislative measures that would have an impact on Canadians’ right to privacy. To do so, we conduct research—both literature review and technological research.

How we interact with other federal institutions

As you can gauge from that summary of our activities, our interaction with federal departments and agencies are rather circumscribed: we interact in the more formal context of an investigation, an audit or a PIA review; or in the less formal context of a consultation on an initiative that could eventually be the subject of a PIA.

Role of the Treasury Board Secretariat

Even though we may issue recommendations to federal institutions, it is the Treasury Board Secretariat (TBS) that is generally responsible with providing them with the various policy tools they need to effectively manage resources, including information holdings.

In broad terms, TBS is responsible for supporting sound management across federal departments. TBS achieves this notably by maintaining a suite of policies intended to guide deputy heads in their roles as managers of public resources. TBS also develops tools—directives, standards, guidelines—to assist departments in implementing government policies. Sound personal information practices are an overarching principle that cuts across the TBS policy suite.

II. Threats to Personal Information Protection and Risk Management Strategies

In this second part of my presentation, I will share with you some observations on threats to personal information in the public sector, as well as effective risk management strategies, through the lens of our Privacy Act enforcement activities.

As I mention at the outset, protecting personal data is part of the informational component of the wider security ecosystem. To remain secure, personal data must be protected by appropriate means—and that means using a combination of technology, physical security, personnel security, and policies and procedures that is proportional to the sensitivity of the data.

We more or less had it together when personal data was confined to paper files (I say “more or less” because we did lose some of those, too), but translating asset security measures to digital media has been somewhat clumsy.

We observe, on the basis of our investigations in both the public and the private sector that we seem to be in a time warp: we have moved to the digital world without fully understanding its implications. A poll by Knoll Advisory illustrates this point. It showed that 31% of privacy breaches are due to the complexity of IT.

Employees who, for the most part, have not grown up with IT have completely moved to an IT world without fully understanding it.

We sometimes forget that sensitive data did get compromised before the IT revolution. Briefcases did get stolen from lost cars, locked cabinets did get broken into, files did get misplaced, and rogue employees did poke through records they should not have been granted access to. A hacker breaking into a network is but a single new way data can get compromised. The major difference today is the volume of data that can go missing as the result of a single security breach.

The problem is not the technology. The problem is that risks are not always properly assessed, and training is not always commensurate with the massive amounts of data we can now store on digital media.

That was, in fact, Recommendation 20 of our 2010 audit on the use of wireless in selected federal institutions, where we concluded that departments should ensure that employees are made aware of the privacy risks inherent to the use of wireless devices and provide guidance to mitigate those risks.

I would like to insist on the word “aware”. From what I observe in our work, awareness is the first step in risk management and yet, it appears so fluid and abstract that it is either assumed or unaddressed. Yet, think about it: isn’t the first line of protection awareness of danger? Is it not the very impetus for risk management?

This leads me to the greatest risk in the ecosystem of data protection: the human factor. Consider these examples of investigations and incident reports from which we have developed a list of privacy tips for human resources professionals:

• In one case, all job applicants were sent the names of the other candidates because they were included in the “to” field instead of the “bcc” field;
• In a second case, a DG’s skills assessment was mistakenly sent electronically to 321 people in the same department;
• In a third case, a DG sent an electronic calendar invitation to an employee to discuss “disciplinary issues”, without taking into account that 17 people had access to the calendar.

Beyond examples related to human error, there are the examples related to human nature:

• In one case, an employee unlawfully accessed the medical files of a former lover;
• In another case, an employee unlawfully accessed the income tax returns of celebrities.

And I could go on.

Human nature is what it is. Rules and oversight systems are meant to compensate for it. And that is why departments that handle vast amounts of sensitive personal information tend to develop thorough sets of rules to protect personal information that complement TBS guidelines.

Let me then move to the systemic measures that we see are the most effective to protect personal information within organizations.

I will also share with you the advice that we offer any organization that comes to us for guidance. This advice can be relevant for organizations of any size and any sector. We feel it can be adapted to any business model and any context.

Establish policies, support them with an effective governance structure

Our first piece of advice is to develop personal information management policies that correspond to the inherent risks faced by the organization.

This must be done in conjunction with establishing a governance structure that has the weight, the composition and the mandate to effectively ensure implementation of policy instruments. For example, an organization must consider whether senior management is sufficiently accountable for the protection of personal information, in view of the organization’s particular circumstances. Do those who are charged with implementation of data protection rules carry enough weight in the organization? Is the protection of personal information properly integrated in all departmental functions, or is it seen as an aside?

When we investigate complaints both in the private sector and in the public sector, it is often clear that an unfortunate series of events could have been avoided if people had just applied the policies they already had. And often, the bridge that is missing between the rules and their implementation is simple awareness.

Never underestimate the importance of training and of the impact of mere awareness. Somewhat perversely, a positive consequence of data breach incidents is the level of awareness it creates among employees. It is a first step in bringing the change in culture necessary to bring about a change in risk management.

Employees have a responsibility to follow policies and procedures—but managers have a responsibility to offer them the training they need to do so. And that training must be ongoing, so that it may remain in lockstep with advances in technology.

Finally, organizations also need mechanisms to ensure compliance, and in certain cases, that includes performance monitoring and appropriate disciplinary measures.

Encrypt portable devices

In addition to a suite of rules and procedures to ensure compliance with measures to protect personal information, technological measures are there precisely to mitigate the risk that technology also brings.

The obvious one is the encryption of portable devices that are used to store sensitive information—and by portable devices, I mean USB keys, portable hard drives, CD-ROMs, laptops and anything else that can be used to store information and that is small enough to leave the office.

Banning portable storage devices could conceivably be one way to deal with the problem, but it’s not a solution that would work for all organizations in all circumstances.

Effectively limit access

Another technological protective measure is to limit access to sensitive information.

It is important to limit access, through passwords and encryption codes, strictly to those employees who have a legitimate need to access specific data in the performance of their duties.

To ensure compliance with rules of access, it is critical to log such access in order to guarantee that rights of access are used responsibly and to take severe action in cases of unauthorized access. I have never had to sign investigative reports following unauthorized access complaints against your Department; I am therefore not in a position to comment on this matter as far as you are concerned. However, I would like to say this: Even departments that have a system of logs must ensure access controls. Once unauthorized access has taken place, it is too late for the victim.

Unfortunately, all across Canada, Privacy Commissioners have observed a worrisome number of cases of unauthorized access. In the private sector, an incident of this nature recently created a legal precedent where a court granted damages for an employee’s unauthorized access to a client’s account.

Knowing you already have all these measures in place takes us right back to the human factor: how do you ensure all these policies, procedures and technological safeguards are fully understood and followed by staff?

III. From the OPC’s Case Files

We have received approximately 860 complaints in relation to the loss of the hard drive by HRSDC.

On January 7, 2013, our office received formal written notification from HRSDC regarding the disappearance of an external hard drive containing personal information of approximately 583,000 clients of the Canada Student Loan program, and 250 HRSDC employees.

Upon receiving this notification, the Assistant Commissioner determined that there are reasonable grounds for a Commissioner-initiated complaint against HRSDC to ascertain whether there has been a contravention of the Privacy Act. We initiated an investigation against HRSDC on January 11, 2013.

The Privacy Act stipulates that the Commissioner has the authority under subsection 29(3) to investigate a matter under the Act where she is satisfied that there are reasonable grounds to do so. We consider four main issues in determining whether reasonable grounds exist for initiating a complaint in this case:

• Whether there is a serious possibility that an investigation would disclose a contravention of the Act;
• Whether the information forming the basis of such a serious possibility is credible;
• Whether such a complaint would be initiated in good faith; and
• Whether there is a clear record of the existence of reasonable grounds to initiate a complaint in the circumstances.

Our analysis confirmed that there are reasonable grounds for the Commissioner to investigate HRSDC based on a serious possibility that the HRSDC has violated a number of provisions of the Privacy Act.

Our investigation will look at the issue from the perspective of compliance with the Privacy Act. We are examining what took place, how it happened, why, and so on. However, given that the matter is under investigation, we can’t provide specific details at this stage. Once the investigation is concluded, the Commissioner will issue a Report of Findings outlining the investigation findings and her recommendations.