1 / 15

Conundrums of Security and Privacy

Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and Security Workshop - Toronto November 3, 2006. Conundrums of Security and Privacy.  Security =  Privacy Security ≠ Privacy  Security =  Privacy. Security =  Privacy.

quade
Download Presentation

Conundrums of Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Security –Some ObservationsMark S. Hayes, Blake, Cassels & Graydon LLP7th CACR Privacy and Security Workshop - TorontoNovember 3, 2006

  2. Conundrums of Security and Privacy •  Security =  Privacy • Security ≠ Privacy •  Security =  Privacy

  3. Security =  Privacy • Must be able to secure and protect personal information in your possession or control • May be different from usual internal security • Include “right to know” internally and require different controls • Passwording, encryption

  4. Security ≠ Privacy • Security for PI is a necessary but not sufficient condition for privacy compliance • PI can be secure but used improperly or disclosed to inappropriate persons (both inside and outside organization) • Security of PI is only one part of privacy compliance program

  5. Security =  Privacy • Anonymity and encryption: • Bad for security • Good for privacy • One of the most important elements of a good security program is “know your users” • However, must collect and use information with consent to comply with privacy regulations • Must understand nature of trade-offs

  6. Hayes’ Laws of Privacy and Technology • Technology will always enable you to do more than you are allowed to do • Technology will often restrict you from doing something that you are required to do • You will always discover the application of each of these laws right after an expensive technology implementation project is completed

  7. Security Breaches • PIPEDA security standards vague • Principle 4.7: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” • Alberta PIPA slightly more detailed: “protect personal information ... by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction” • Seem to use objective standard

  8. Some Security Cases • PIPEDA decisions: strict liability “disclosure is breach” test • PIPEDA Case #277 (2004) • “To” line used rather than “BCC” line in e-mail • sub-contractor had appropriate safeguards in place • “company did not meet the requirements of Principle 4.7.1” • PIPEDA Case Summary #289 • Laptop containing customer’s banking information stolen from bank’s financial advisor’s car • Laptop equipped with security features (including password protection) • Bank’s laptop security policy PIPEDA-compliant • Bank still in breach

  9. More Security Cases • Alberta trio of 2005 cases used similar standards • Linens ‘N Things, Nor-Don Collection Network Inc., Digital Communications Group Inc. • Police found consumer records in hands of criminal gang • Three retailers found in violation of PIPA • While precise failure of security was not identified in each case, retailers all found to have violated PIPA • Possible that decisions were justified on basis of retailers’ failure to secure documents, but standard not well expressed in decisions

  10. B.C. Investigation Report F06-01 • “reasonable” means “objectively diligent and prudent in all of the circumstances” • “defining and documenting security arrangements … is diligent and prudent practice” • “fact that a generally-accepted and proven practice has been followed may be strong evidence of prudence and diligence in protecting personal information, but it is not determinative” • Encryption of electronic records may be important

  11. B.C. Investigation Report F06-01 (2) • “risk of a privacy breach due to criminal activity or other intentional wrongdoing is contemplated in assessing reasonable security arrangements” • Cost of additional security may be an issue • Also see B.C. Investigation Report F06-02 • Clearly the BCPC’s nuanced and objective approach seems more appropriate than the “breach means unreasonable” approach seen in other cases

  12. Recent Alberta PIPA Cases • To determine what security measures are reasonable, must look at: • medium information is stored on • sensitivity of information • industry standards or practices • foreseeability of unauthorized access or disclosure (including possibility of criminal activity) • cost of additional measures vs. additional level of security they would provide • E.g. recommended that all personal information on laptop computers should be encrypted

  13. Notification of Security Breaches • Only Ontario PHIPA requires to notification after security breach involving personal information • Most privacy commissioners support imposition of notification obligation • In F06-02, BCPC concluded that “A public body should, following a data loss or theft, conduct a prompt assessment of any risks posed thereby. If the public body concludes that notification is appropriate, … it should prepare a notification strategy and execute it.”

  14. Notification of Security Breaches (2) • In many U.S. states, notification is mandatory except in limited circumstances • In Victoria, Australia, privacy commissioner has implied an obligation that notification should be the rule, absent exceptional circumstances • Issues with notification: • cost of notification • breach does not mean privacy risk • over-notification causes more damage than breach • constant notification  desensitivization • Issue is on table for PIPEDA review

  15. Questions? For a copy of these slides, just ask! mark.hayes@blakes.com

More Related