In December 2014, the Office of the Privacy Commissioner of Canada (the “Commissioner”) released a report entitled Privacy and Cyber Security: Emphasizing privacy protection in cyber security activities (the “Report”), examining the common interests and tensions between privacy and cyber security.
According to the Report, as personal information is increasingly processed and stored online, privacy protection and cyber security will continue to become more interconnected. The Report states that privacy protection relies on the effective implementation of cyber security measures implemented by organizations to secure personal data and the critical infrastructure that protects data and personal information.
However, the Commissioner recognizes that these cyber security measures can threaten privacy and outlines six emerging challenges facing cyber security and privacy. We have included some examples below as to challenges applicable to reatilers.
- Complexity of the connected environment: Cyberspace has become increasingly complex and interconnected through the prevalence of mobile devices, which allow for mobile shopping and mobile payment methods, cloud computing, and online financial transactions (a 2014 study revealed that 54% of data breach investigations targeted e-commerce with retail being the most targeted industry). The result is that personal preferences, details, and movements can be tracked online through an interconnected web of processes and relationships; whereby, threats in cyberspace can target the weakest link in this interconnected web to gain access to the data within. As such, all stake holders in cyber security efforts have a shared role in protecting the infrastructure and information that flows through it.
- Growing sophistication of the threat: The Report states that, “as the scale of information flowing through cyberspace has expanded, so too has its value to corporations, government, and those with malicious intent.” Due to the increase in the size and value of our online data footprints, there has been a professionalization of cyber-crime and an increase in state-sponsored threats from well-educated and funded actors.
- Threats are moving to the mobile sphere: With the number of cellphones in use to exceed the global population in the next three years, mobile communications and cloud services are becoming targets for the cyber-criminal through malware on mobile devices. This should be of concern to retailers; as consumers increasingly use mobile apps for shopping and other services, there is an increased potential for such apps to become targets for cyber criminals who would look to steal and exploit the information being shared on and through the apps. In addition, there is increased concern over data interception when a device is connected to free public Wi-Fi and during near-field communications, such as “tap-and-pay.” Due to the amount of personal information held on mobile devices, and the risk associated with these devices, the mobile industry has a heightened responsibility to ensure the safety of their platforms and systems. For more on Mobile App Privacy Practices, click here.
- The “big data” paradox: is it a bigger risk or solution?: Big data refers to the large stores of information gathered from traditional sources, web data, social networks, and texts. It is claimed that big data can provide solutions and insights into how a retailer can capitalize on an array of issues, including: promotional campaigns, pricing and consumer tastes. However, big data also raises privacy concerns related to how to secure the data and how to make use of the data while protecting personal information. In addition, big data is a valuable commercial asset and will be the target of cyber-attackers. There is also evidence that big data can lead to the unrestricted collection of data which may yield very personal insights about individuals. The importance of secure data storage by retailers has again been evidenced this week with the security breach at Natural Grocers. For more on Big Data,click here.
- For many, breach preparedness is still not a priority: The Report states that larger businesses in Canada are better situated to deal with constantly evolving cyber threats. However, the Commissioner noted considerable gaps in the preparedness of Canadian businesses against cyber-crime and cites that 69% of Canadian businesses have no procedure in place to follow when cyber-crime is identified. Further, the Commissioner advises that only 22% of Canadian businesses reported having some type of risk assessment process to identify vulnerabilities. For more on Breach Preparedness, click here.
- Compliance vs. risk-management: The Report cautions against organizations that simply follow a “check-the-box” compliance model based on government regulations, as this may lead to a false sense of security. The Report suggests that organizations adopt a risk management approach to cyber-security whereby they are continually examining their security systems to identify where additional safeguards are needed. For more on Compliance with Privacy Requirements, click here:
The Commissioner also suggests that as individuals become more connected to cyberspace, they will rely on organizations for effective implementation of cyber security and heightened sensitivity to privacy. The Report outlines three areas where an increased emphasis on privacy protection could help support, advance, and augment cyber security activities:
- Building privacy values into cyber security policy directions: Cyber monitoring and surveillance can create tensions or conflicting requirements between privacy and cyber security strategies. As such, the Report suggests that advocates of privacy ensure that cyber security strategies hold privacy protection as a guiding principle and not allow these strategies to be used as an excuse for the unfettered monitoring of personal information.
- Legislative approaches that incentivize cyber security preparedness: The Report is somewhat critical of the private sector for too often treating personal information as a commodity and for leaving themselves vulnerable to breaches. Although the Report sees the private sector as having a shared role in protecting personal information in cyberspace, the Report also acknowledges the importance of legislative measures, such as CASL and the Digital Privacy Act, to protect Canadians. The Commissioner recognizes that personal information must be identified as a critical asset in need of protection and that both the private sector and the legislature must take measures to increase cyber security. For more on the Digital Privacy Act, click here.
- Facilitating broader dialogue on cyber security that acknowledges its importance for privacy, trust, and responsible data stewardship: The Report notes that the complexities of cyberspace and the sophistication of threats mean that it is no longer enough for organizations to be compliant with minimal privacy regulations. It goes on to provide that organizations must now give effect to all privacy principles and practice privacy compliance throughout the lifespan of the information to protect personal data. The Commissioner encourages all stakeholders to collaborate and ensure that there are checks and balances on all cyber security activities. As an example, several of the U.S’s largest retailers share cyber threat information amongst each other and the U.S. government through the Retail Information Sharing and Analysis Center.
In summary, the Report stresses the interconnectedness of cyberspace and the shared responsibility of all cyber security actors to collaborate in order to protect online personal information.