With more and more reports of alarming data breaches such as the one reported by Computer security firm Kaspersky Lab on the weekend, the connection between cybersecurity and privacy can no longer be ignored. As reported in BBC News on February 15, 2014, Kaspersky Lab reported that up to 100 banks and financial institutions worldwide (including Canada) have been attacked in an “unprecedented cyber robbery” (http://www.bbc.com/news/business-31482985). According to the report, an estimated $1bn (£648m) has been stolen in the attacks, starting in 2013 and the attacks are still ongoing.
Last week, the Office of the Privacy Commissioner of Canada released its report Privacy and Cyber Security – Emphasizing privacy protection in cyber security activities that recognizes the threat to privacy posed by cyber breaches and describes policy directions to generate dialogue about cybersecurity as a key element of protecting privacy online.
The OPC report states that: “As cyber security policy directions develop, privacy and data protection authorities have a role to play to reinforce privacy values to ensure that cyber security policy respects privacy rights, and prioritizes personal information protection”. The report encourages organizations to build privacy values into cybersecurity policy directions and says that the importance of “privacy, trust and responsible data stewardship” should be acknowledged in the broader cybersecurity dialogue.
Are Canadians taking notice? It appears they are. Privacy and protection of their personal information is becoming more important to Canadians. A recent survey by the Canadian Privacy Commissioner revealed that people are becoming more aware of how their personal information is being secured.
Over three-quarters of those surveyed said they were concerned about how their personal information online was being used by the government, while about 50% said they did not have a good understanding of what business and government departments actually do with their personal information. Almost 30% said their personal information had been breached.
The good news is that this increased awareness is resulting in better practices. A majority of people now use passwords on their smartphones, adjust privacy settings in online applications such as Facebook, turn off locations services so that their movements are not tracked, and are less likely, or at least question, sharing personal information with organizations.
On the business side, over 80% of people said they would be more likely to choose to do business with a company that has a good data security record.
Privacy Commissioner Therrien commented about these results, saying “businesses should be more upfront and clear about their privacy practices – and not bury that information in long, legalistic privacy policies. And government departments and agencies need to respond to Canadians’ expectation that they be transparent about how they collect and use personal information.”
Wortzmans believes that on the business side, organizations need to approach cybersecurity and privacy protection with a more holistic approach. These are not only issues to be left with IT or Legal to resolve in isolation. A collaboration of IT, legal, risk, HR and compliance expertise should all contribute to develop a proactive cybersecurity plan for an organization or government entity.