This coming January 28, Quebec, like many other jurisdictions around the world, will be celebrating Data Protection Day. While governments launch public awareness campaigns to encourage the secure use of information technologies, Canadians are becoming more and more concerned about the security of their personal information held by various organizations. A 2013 study found that fully 66% of Canadians were “very concerned” about the degree to which their privacy was being protected1.
At the same time, another study involving 1,006 Canadian companies found that 55% of them had no personal-data protection policy and that 67% had no procedure in place for assessing the risks posed by their products, services or technologies to the privacy of consumers2.
Given the data thefts, security breaches and massive cyber attacks by hackers that have come to light over the last few months, it is no wonder Canadians are so concerned. Recent news headlines have highlighted the growing number of such incidents, which include:
- The October 2014 launching of a website broadcasting the live feed from video surveillance cameras and webcams;
- Last fall, the US subsidiary of a Canadian bank agreed to pay more than $1.4 million to settle a lawsuit alleging its failure to timely notify individuals affected by a breach in the confidentiality of their personal information. The suit alleged that backup files containing the personal information of 260,000 persons had been lost or mislaid;
- Following the recent highly publicized cyber-attack against Sony Pictures, class actions were filed against the company alleging that its security measures and data retention policy had serious shortcomings that allowed hackers to access the claimants’ personal information. The company’s vacillations about releasing the film “The Interview” may have overshadowed the fact that the hackers published the salary details of over 6,000 Sony employees. Sony’s PlayStation network was also attacked by hackers, resulting in an interruption of service between December 24th and 26th;
- In early January this year, Morgan Stanley disclosed that one of its employees had stolen the personal information of 350,000 clients.
And to that list could be added:
- Thefts of credit-card information from large retail chains including Target, K-Mart, Home Depot and Staples;
- Security breaches and cases of unauthorized access affecting Apple;
- Hundreds of breaches of the confidentiality of personal information held by the Government of Canada over the last two years.
The sheer variety of such attacks and incidents shows that no one is safe and that assessing the risk of being targeted by an attack is extremely difficult.
In Quebec, the Act to establish a legal framework for information technology and the Act respecting the protection of personal information in the private sector impose information security obligations on a variety of organizations. In addition to the security-related processes and technologies that must be implemented and regularly reviewed pursuant to these statutes, the attacks and breaches outlined above argue in favour of the inculcation of a concern for information security and the protection of personal information into the corporate culture of all such organizations who, together with their clients and employees, must be made conscious of the risks inherent in using a public IT network and of the impossibility of achieving protection against all of the vulnerabilities of information technology.
Nonetheless, as the Sony episode shows, those same clients and employees legitimately expect that organizations entrusted with their personal information, or those from whom they purchase products and services, be seriously concerned about adequately protecting it and make every reasonable effort to do so, including adopting and regularly reviewing their IT security policies and processes, and act with all due haste in the event of any breach, so as to minimize the damage that may ensue.
It is with these considerations in mind that we recommend that you examine your own IT policies and processes to ensure that they adequately provide for the secure collection, retention, access to and destruction of personal information, and that you will be in a position to act in a timely and appropriate manner in the event of a breach, theft or attack.
Our professionals specializing in information-technology and privacy law are always available to assist you in the formulation or review of your policies and processes.
Happy Data Protection Day!