Cybersecurity and privacy protection: Mutually reinforcing goals in the digital age

Remarks to the Messaging, Malware, Mobile
Anti-Abuse Working Group (M3AAWG)

October 23, 2013
Montreal, Quebec

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Our shared mission

I am very pleased to be invited to speak to this audience, who I consider my fellow comrades-in-arms. I use that militaristic term on purpose because I believe we indeed are allies on the front lines of a very important battle now taking place in Canada… and indeed globally. That is the battle to protect personal information in the commercial world at the same times as defending cyber security. This is surely the last audience I need to convince that cyber security is a major challenge facing all of us here today, from our respective realms of telecommunications, law, law enforcement, or computer science.

And this challenge is also shared with my field of privacy and data protection.

As more and more personal information is processed or stored in cyberspace, privacy protection more and more relies on organizations effectively implementing cyber security. In effect, without cyber security, online privacy is tenuous at best and far from assured. At the same time, data protection laws heighten the importance of cyber security.

In essence, our roles are mutually reinforcing. As President Kennedy once said of the relationship between the United States and Canada: “Necessity has made us allies.”

My Office’s growing appreciation of this interdependence between privacy and cyber security can be seen in the continued expansion of our state-of-the-art testing laboratory. Through the laboratory we have tested popular apps and third party online ad components for personal information leaks. And we will be further strengthening our technology support capacity in preparation for the coming into force of Canada’s Anti-Spam Law. Prior to this, regulations need to be finalized and we are hopeful that the government can take the next steps soon. My Office has also stepped up its participation in proceedings of M3AAWG, again in recognition of our mutually reinforcing roles.

The OPC and private sector privacy law in Canada

This seems like an appropriate point to say a few words about the Office of the Privacy Commissioner itself. We’ve been around for more than three decades, beginning with the Privacy Act, a law intended to protect the personal information of citizens in the hands of the federal government. Then, more than a decade ago, the Canadian Parliament passed the Personal Information Protection and Electronic Documents Act, known as PIPEDA

PIPEDA is an overarching private-sector privacy law which applies to any organization engaged in commercial activity. It sets out ground rules for managing personal information and mandates my Office to monitor compliance and investigate complaints.

In Canada, the provinces also have the ability to legislate in the field of consumer personal information and three have chosen to do so, including Quebec where we are meeting today. However, even in those three provinces PIPEDA still applies to areas of the private sector which are federally regulated, such as banking, transportation and – perhaps of special interest to this audience – the field of telecommunications. A key purpose of private-sector privacy laws like PIPEDA is to give consumers confidence that their personal information is treated appropriately when they engage in commerce, whether it’s the bricks-and-mortar variety or today’s e-commerce.

The challenge to privacy posed by an increasingly digital society and economy

Such confidence is becoming increasingly difficult to guarantee in today’s all-pervasive electronic ecosystems. As a measure of just how pervasive, consider that half of all phone connections in Canada are now wireless and that Canadians send more than 270 million text messages per day.

Many of today’s privacy challenges stem from the speed-of-light pace at which information technology seems to be advancing. In the competitive rush to bring products and services to market, some organizations are failing to first identify and address privacy issues.

And while organizations find new ways to profit from personal information, the risks to privacy are growing exponentially.

As car drivers, we all realize that the chances of an accident increase with the volume of traffic on the highway. Similarly this tsunami of online transactions and of information being stored online brings a greater risk of malicious attacks and a greater vulnerability if security policies are lax.

As a direct consequence of so much personal information being collected by so many organizations data breaches are becoming bigger. To cite just one example, in June of last year LinkedIn, a business networking site, had nearly six and a half million user passwords stolen and posted online. The company demonstrated due diligence and accountability in its response but nonetheless the breach exposed weaknesses in its information safeguards.

Rising consumer concern and more sophisticated attacks

Understandably, Canadians are concerned about the security of their personal information held by the private sector. In a public opinion survey conducted for my Office last November, virtually all respondents (97 per cent) said they would want to be notified if the personal information they had given to an organization was lost, stolen or unintentionally exposed.

However almost six in 10 think it is unlikely that they would, in fact, be notified in such circumstances. This pessimism is well-founded since disclosing data breaches to the OPC or to affected consumers is not mandatory under PIPEDA at present. Not even material breaches with the risk of significant harm to individuals.

This dual expression of public concern and pessimism should act as a warning flag for those in IT executive suites . . . and to those on the IT front lines as well. The potential harm to organization brands from data breaches is significant and on the rise. That alone should be an incentive to make cyber security and accountability a greater business priority.

But there is yet another incentive – the escalation in the number and sophistication of cyber attacks.

And the cyber attacks are becoming more sophisticated. This group has already heard presentations about the wide-spread Ransomware virus. In Canada this virus impersonated the fictional Canadian Police Cybercrime Investigation Department and locked down the affected computer until a payment was made.

Many surveys point to a large number of businesses in Canada being unprepared for cyber attacks; be it due to a lack of awareness regarding the threats, a failure in safeguards and procedures, or seeing breaches as a cost of doing business. In a survey of more than 500 businesses in Canada the International Cyber Security Protection Alliance reported that 70 per cent had experienced a cyber crime attack within the past 12 months. And the same percentage did not have any formal procedures to be followed in the event of a cyber crime.

Yet the private sector is home to much of Canada’s critical infrastructure assets, such as banking, energy generation and transmission, transportation and telecommunications networks.

Growing need for cybersecurity and data protection collaboration in an increasingly borderless world

Against that backdrop, it is imperative that cyber security specialists and data protection authorities like the OPC, work even more closely together to improve the defences in the private sector, and ensure privacy protection is a guiding principle in cyber security efforts.

Another factor motivating greater mutual collaboration is that we both operate in worlds without borders. Threats to the security of data inside Canada can – and often do – come from outside Canada. So organizations like the Working Group and the London Action Plan play a very important role by virtue of being international.

This knowledge exchange and honing of best practices is essential for more effective cyber security. And, to echo what I said earlier, better cyber security is a prerequisite for effective privacy protection.

During my time as Privacy Commissioner, our Office has moved to strengthen ties with international counterparts.

In a milestone in global privacy protection, my Office and the Dutch Data Protection Authority collaborated last year on a joint investigation of WhatsApp, a mobile app developer based in California with hundreds of millions of customers worldwide. Our investigations focused on WhatsApp’s mobile messaging platform which we found contravened privacy laws both here in Canada and in the Netherlands.

The company agreed to implement recommendations to make its platform safer in privacy terms. Both we and the Dutch issued our own reports of findings and we both followed up under our separate respective legislation.

A much wider international privacy collaboration took place during one week this past May. Nineteen privacy enforcement agencies including my Office collaborated in an internet sweep to examine the posted privacy policies of almost 2,200 websites and nearly 100 apps.

Almost a quarter of the websites and apps had no privacy policy available. Mobile apps were especially poor with more than half lacking a privacy policy entirely and more than 90 per cent raising concerns about how they present information on their privacy practices.

The Internet Privacy Sweep highlighted the importance of organizations explaining their privacy practices in a fashion that is both transparent and concise. People need and deserve such explanations so they can make meaningful decisions in exercising control over their own personal information.

Education and training are vital

This brings me to the importance of public education and training. Our biannual tracking surveys have found a slow rise in the percentage of Canadians who rate their knowledge about their privacy rights under Canada’s privacy laws as relatively high. It’s now a little bit more than one third of all respondents. However, almost two-thirds rate their knowledge low or in the middle range.

Add to that the technological complexities of cyber security and it’s understandable that most people have great difficulty getting a handle on the interrelation between cyber security and privacy. However I believe that more and more Canadians are primed for a dose of effective public education in these matters.

Why? Because smart phones are becoming ubiquitous in this country. Already three-quarters of Canadian households have access to a wireless phone. And mobile devices such as smart phones and tablets are prime targets for the cyber-criminal.

Many of you in this room already appreciate the importance of educating your customers about best practices for dealing with phishing and other forms of malicious spam. In the same vein we at the OPC have developed a privacy accountability framework for organizations and a broad strategy for engaging youth about privacy.

It’s also a message we brought forth to Canadian small business representatives in a national tour last year. In particular, we noted a study by global PR firm Edelmans which found that 46% of individuals reported leaving or avoiding companies who were afflicted by data breaches.

When it came to how to avoid such situations, an informed workforce is crucial, because any organization is only as strong as its weakest link.

To minimize risks, we call for administrative privileges being reserved for the person on the team responsible for IT, meaning not just anyone can install new software which could in fact contain malware.

We press the need for employees being counselled on picking strong passwords and changing them regularly.

Of course, this isn’t news for any of us here, but they need to become common practice across organizations.

The need for the law to keep pace

In concluding let me touch briefly on a matter that is becoming more and more urgent with each passing day. I am speaking of the need to update and strengthen Canada’s two privacy laws and, especially for this audience, the modernization of PIPEDA which was crafted at a time when clouds carried rain rather than data, when phones weren’t smart and when Twitter was the sound of a bird chirping.

Just as technology needs to advance in the face of new threats to cyber security and privacy, so does the law. My Office is gratified to be associated with the important work being done in the technology realm by this Working Group and the London Action Plan.

On the legal front, the OPC is one of three federal agencies responsible for enforcing Canada’s Anti-Spam Legislation which is currently being fine-tuned before going into effect. My Office will focus on the unauthorized collection of personal information, specifically through electronic address harvesting and through access to computer systems via malicious software and other illegal means.

While the anti-spam legislation was welcome, other more fundamental modernizations of PIPEDA are long overdue.

Before I close, here are three key recommendations for reforming the law put forward in a position paper from my Office:

  • Stronger enforcement powers, to put Canada on a level playing field with some of our major trading partners;
  • Breach notification, so organizations would be required to report breaches of personal information to our Office and notify affected individuals, where warranted; and
  • Promoting accountability, to help ensure that organizations meet commitments to improve their privacy practices following an investigation or audit.

Reforms along these lines would mean that our Office could carry more powerful weapons as your comrade-in-arms in the protection of personal privacy. And who wouldn’t yearn for a well-armed ally in such a big battle.

Thank you

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: