On February 15, our Privacy and Data Security and Technology lawyers hosted a webinar on Employee Behaviours and IT/Cyber Risk. They discussed the biggest risks to IT systems, what those risks are, and how to mitigate those risks.

Throughout the webinar, a number of important questions were asked. In response, Donald Johnston, Co-Chair of Aird & Berlis LLP’s Privacy & Data Security Team and Co-Leader of the Technology Team, has provided answers to a number of the most frequently asked questions.

Q: To put more emphasis on your last point regarding using the same passwords, hackers sell lists of these. You can find lists of them to see if you were affected by a breach by plugging your email address into a search field. https://haveibeenpwned.com/PwnedWebsites

Thanks for the reminder about this website. A lot of people will be surprised to find their passwords compromised.

Q: Curious, how did you keep track of multiple passwords then? That is a bit difficult.

I use the letters of poetry I learned in school decades ago. For example: TbOnTb = To be or not to be. Of course the ones I use are a lot more obscure. First letters of words in songs you like are also very good. I have no trouble keeping track of them, for some reason.

Q: Do you really have to give the password over to Border Agency?

Yes, you might well have to. When you are at the border, the rules that limit police don’t limit border guards.

Q: If CBSA asks for a password to a laptop or blackberry when I cross a border, what are my obligations to protect privileged information on that device? What steps should I take?

You have to say that the information on the laptop is protected by lawyer-client privilege and that you are asserting that privilege. They may well keep your laptop for a while, until they figure out what to do. It won’t be easy, but you have little other choice.

Q: If you have a third party IT provider should you ask that their employees sign the organizations confidentiality agreement?

Most counsel do not, since the normal rule of respondeat superior covers each employee by any confidentiality agreement that the employer signed.

Q: Is there any legislation which protects employee files for non-profits? It looks like employee files do not fall under any legislation in Ontario.

You are right. Nevertheless, most employers, whether for- or not-for-profit, have an employee privacy policy. Once that policy is in place, the employer is bound by it, and it can be alleged to be part of the employer-employee contractual relationship.

Q: Our employee HR files are kept in a cabinet which can be accesses by facilities staff, access is not audited and monitored.

That’s a walking talking data breach right there. Why in the heck would your employer do that?

Q: We are running an events business as part of our Social Enterprise service; customer data is kept in the USA. Do we have to inform each client when they book our event space that their data is kept in the US?

Why not just publish that fact on your website, in your terms of use? Nobody ever reads that stuff anyway.

Q: With respect to your comment about legislation around keeping data in our jurisdiction – many organizations are storing data on the cloud. What are the implications of this with respect to the legislation?

It’s a problem, because you may not in fact know, in a plain vanilla cloud scenario, where your data is at any given time. I know that this one act is giving government users second thoughts about using public cloud for storage of data. Some providers, like SalesForce, do not yet have a data centre in Canada and so their SaaS solutions may be tough to sell to governments and public bodies.

Q: Suggestion for multiple passwords – put multiple passwords in a password-protected document.

That works. There are also “password lockers” that perform the same function. They are accessible on most smart phones.

Q: You’ve referenced police powers in contrast to CBSA powers. If the police pull you over do you have to provide them with your cell phone password? Could it not (rightly or wrongly) incriminate you if you were texting?

The police can ask you anything they want. You don’t have to tell them anything, but not telling them may earn you a trip to the station. If they have reasonable and probable grounds to suspect that your phone was used in the commission of a crime, they can seize it and get a warrant to inspect it. They seize it in the name of protecting evidence from loss. You can challenge their grounds, of course, but that is a technical argument to be made in court. If you were texting when you should have been paying attention to your driving, then opening your phone will definitely incriminate you. So don’t.

Q: Based on all of these recent cases, what is the likely outcome of the Yahoo breach and damages?

A couple of hundred million people will split a few hundred million dollars equally among them. And, oh yes, the class action lawyers will get paid off the top. So they are the really winners.

Q: This is more of a comment rather than a question: when in doubt if an email is a “phishing” or fake email, hit the “reply” button (as if you were going to reply to the email, but do not reply), and the sender’s email address will confirm that it is.

Yep, unless the return address has been spoofed. If the email contains a link – which is the real “hook” that the phisher wants you to click – it doesn’t matter if the return address is spoofed, and therefore useless.

Q: What if you do not have your laptop/phone with you? But they still want passwords to access info externally (via a website)? Do you still have to give them over?

No. They can only inspect what you are importing. That being said, if the border personnel are U.S. border guards, they may want to keep “undesirables” out of the country. So they may ask you for your user name and passwords to look at social media sites for the purpose of seeing who you hang out with and what you believe. If you refuse to give them that information, they can deny you entry. They can do this because they can deny you entry on any ground or no ground at all. They can tell you that you can’t come in on a whim.

Q: In the digital world, more and more companies are shifting towards digital/paperless employee records. When I think of HR Information Systems such as Workday – how does this play or relate to this scenario?

Workday is sold as a cloud/SaaS application and is meant to be mobile. Travel across borders increases the likelihood of inspection of records by government agencies. However, if you travel with a netbook that contains no data, you are probably safe at the border. Your phone is more of an issue.

Q: Who would be liable for a potential security breach seeing as these records are hosted through a vendor? What measures can we have in place and how can we protect ourselves?

The Vendor would not be liable because the Vendor hasn’t done anything to cause a security breach. If you reveal your username and password at the border, it isn’t the vendor’s fault if the authorities use that information to inspect confidential records.

Q: What do you mean use a VPN for data?

A virtual private network. It uses encryption and transport layer security to keep private information private even in a public setting.

Q: What do you think of using third party password keepers?

I like them.

Q: If private information is shared among multiple parties as part of a transactional process, who is ultimately responsible if data is lost by the third party. Would it be the party who initially collected the information?

Yes, that’s where it would start. However, if there were breaches of law among any of them, all could be embroiled in suits.

Q: I would like to chat with your cyber team about how DiscoverNet can support your efforts with SME clients. Most significantly, we have an IT Security Audit product/process that is priced for periodic running of them.

Happy to talk anytime.

Q: Does data centre location really make a difference, given that data in Canada transits through the US?

Very, very little difference.

Q: Is it constitutional to ask for individuals passwords for social media when you just want to travel for leisure?

The constitution has nothing to do with it. If you are outside the U.S., have no right to be there and want to come in, they can ask anything they want and keep you out if they feel like it. You have no rights.

Q: Are border officers asking the same questions when Americans visit Canada?

Not to the same extent.

Q: What is the most significant difference between PIPEDA and MFIPPA?

MFIPPA is an access to information statute. PIPEDA is an information protection statute.