Privacy Access Letter I Feb 5 07


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Privacy Access Letter I Feb 5 07

  1. 1. “Dear Privacy Officer” – the Nightmare Letter (Part I) Constantine Karbaliotis, LL.B., CIPP12 Introduction Canada does not currently have a general law requiring notification of personal information breaches however, under PIPEDA and Canadian provincial privacy legislation, individuals are afforded the right to ask businesses that have collected from customer’s personal information, what is known about them. In light of recent security failures affecting millions of Canadian credit card holders3, companies would do well to consider the possibility that such laws might soon be introduced. At minimum, they should expect individuals will exercise their “right to know” more vigorously and will seek to understand corporate privacy and security measures intended to protect personal information. There have been a number of warnings that privacy is not very well understood or protected by retailers. A study produced last year4 indicates a general failure on behalf of retailers to adequately understand or deal with accountability, openness, access and consent. The capacity of retailers to safeguard personal information, or even know if a breach has occurred, is also suspect. These events also highlight the likelihood that there are many more unreported events affecting Canadians. While Canada does not have a mandatory notification of privacy breaches, except under Ontario’s Personal Health Information Protection Act (PHIPA), it has been held by the western Privacy Commissioners that a moral, if not legal, duty to 1 Canadian Senior Compliance Business Specialist, Symantec (Canada) Corporation 2 This is intended to provide commentary on legal issues and how technology can be used to support compliance. It is not intended, and should not be relied upon, to provide legal advice in any particular factual circumstance as individual situations will differ and should be discussed with a lawyer 3 4 “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006), ©Symantec (Canada) Corp. February 5, 2007
  2. 2. Page 2 notify exists under the ‘safeguarding’ principle5. Companies have a duty to safeguard personal information, and if a breach occurs, this duty is extended to taking steps to mitigate the harm caused by a breach. Principles relating to Safeguarding and Access Given the public’s knowledge on the occurrence of privacy breaches brought about by reports in the media, and in fact may be underreported, companies should be prepared for Canadians’ exercising their right to inquire not only what an organization knows about them, but whether their personal information is at risk or has been exposed. Principle 9 of the Canadian Standards Association Privacy Principles, incorporated into PIPEDA as a schedule, states as follows: 9. Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Also relevant are the following principles: 1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. 7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. Openness An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals. 10. Challenging Compliance 5 “Approaches to Security Breach Notification: A White Paper”, The Canadian Internet Policy and Public Interest Clinic (CIPPIC) (January 9, 2007), pp. 3, 5. ©Symantec (Canada) Corp.
  3. 3. Page 3 An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. An elaboration of the 8th principle in the Schedule provides as follows: 4.8.1 Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. Policy represents high-level statements, goals for the organization, and are often found in documents that outline corporate security policies, which may be based on standards such as ISO 17799. Practices, in this context, are how the policies are implemented, and are more at the level of IT controls designed to ensure that the policies are carried out through technological means. These access rights may bring about broader questions than merely “what do you know about me?” From the retailer’s standpoint, simply relaying principle seven and the other principles contained in PIPEDA does little more than restate legal obligation6 and is therefore, meaningless. A company does not have to disclose so much detail that it would put at risk the personal information they are obliged to protect. However, responding to a customer’s request about how their personal information is safeguarded should provide sufficient detail to satisfy them that their information has in fact been protected by safeguards that are appropriate to the sensitivity of the data. 6 “A common variation of the themes set out above is for companies to merely restate their legal requirements under PIPEDA rather than explaining their own data management practices in detail.” “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006) at page 39. ©Symantec (Canada) Corp.
  4. 4. Page 4 Organizations would do well to be prepared for the receipt of the ‘nightmare access letter7,’ from an irate consumer who knows a little too much about privacy and information technology. The following is an example of the access letter and is offered as a tool for C-level executives on the forefront of dealing with privacy breach fallout. Of course, only a finding from a privacy commissioner would determine whether this letter would have to be answered if received by a company. It may be that some points may be considered as asking for too much in an access request. I would suggest that this letter is premised upon the principles set out above, and the right to be informed of personal information policies and procedures. In any case, a positive use of this letter for executives concerned about their privacy policies would be to send it to their own organization, and treat it a real letter from a customer. This would serve as a test of company’s compliance and security teams’ capability to respond to this type of request – a privacy ‘vulnerability’ test. This will provide insight on not only the ability to answer privacy access requests, but also highlight corporate data handling issues that can grow into privacy breaches. The Nightmare Letter for Access Dear Sir/Madam: I am writing to you in your capacity as privacy officer for your company. I am a customer of yours, and in light of recent events, I am making this request for access to personal information pursuant to principles 1, 7, 8, 9 and 10 of Schedule 1 of the 7 Points 1 through 3 are based upon the template letter contained in the publication “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006) at page 67. The items contained in 4(a) are based upon the proposed format of 7 breach notification contained in “Approaches to Security Breach Notification: A White Paper”, The Canadian Internet Policy and Public Interest Clinic (CIPPIC) (January 9, 2007), p 27. ©Symantec (Canada) Corp.
  5. 5. Page 5 Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). I am very concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to principal 7. I would like you to be aware at the outset, that I anticipate reply to my request within 30 days as required by s. 8(3) of PIPEDA, failing which I will be forwarding my inquiry with a letter of complaint to the Federal Privacy Commissioner’s Office. Please advise as to the following: 1. Please provide me with a copy of all specific personal information you have about me in your files and databases. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store. 2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of this information. 3. Please provide a list of all companies with whom you have (or may have) shared my information. If you cannot identify with certainty the specific companies to whom you have disclosed my information, please provide a list of companies to whom you may have disclosed information about me. 4. I would like to know whether or not my personal information has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach. ©Symantec (Canada) Corp.
  6. 6. Page 6 a. If so, please advise as to the following details of each and any such breach: i. a general description of what occurred; ii. the date and time of the breach (or the best possible estimate); iii. the date and time the breach was discovered; iv. the source of the breach (either your own organization, or a third party to whom you have transferred my personal information); v. details of my personal information that was disclosed; vi. your company’s assessment of the risk of identity fraud to myself, as a result of the breach; vii. a description of the measures taken or that will be taken to prevent further unauthorized access to my personal information; viii. contact information for so that I can obtain more information and assistance in relation to such a breach, and ix. information and advice on what I can do to protect myself against identity theft and fraud. b. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as: i. Encryption of my personal information; ©Symantec (Canada) Corp.
  7. 7. Page 7 ii. Data minimization strategies; or, iii. Any other means c. Please advise if you have had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal information inappropriately, or if you are unable to determine this, of any customers, in the past twelve months. 5. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal information, such as whether you adhere to ISO17799 for information security, and more particularly, your practices in relation to the following: a. Please inform me whether you have backed up my personal information to tape or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal information from loss or theft, and whether this includes encryption. b. Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal information has been disclosed, including but not limited to the following: i. Intrusion detection systems; ii. Firewall technologies; iii. Access and identity management technologies; iv. Database audit and/or security tools; or, ©Symantec (Canada) Corp.
  8. 8. Page 8 v. Behavioural analysis tools, log analysis tools, or audit tools; c. Please also advise what technologies or business procedures you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal information outside your company, through e-mail, web mail or instant messaging, or otherwise. Yours Sincerely, I. Rate Symantec Solutions What does this mean for your organization? Keep in mind that in order to address these concerns, no software solution is by itself complete. The goal for implementing compliance solutions is to understand the problem in the context of your business, to build the appropriate foundations within the company to support a culture of compliance, and to support these efforts with appropriate tools, such as set out below. Implication Symantec’s Solution 1 Most organizations have a limited ability to find • Symantec Enterprise Vault what they know about an individual. Information is not often in structured databases; in fact the majority of information today is in unstructured forms such as e-mails, documents on file servers and on individual machines, even in voice mail systems. 2 Similarly, few organizations can actually know how • Symantec Bindview Policy the personal information they collect is being used, Manager or limit use to the terms on which it was collected – based upon the consent of the individuals, and the stated privacy policy at the time of collection. 3 Increasingly, organizations are relying on their • Symantec Control Compliance contracts to impose standards – and audits – on Suite their subcontractors, to ensure that they are doing • Symantec Enterprise Security what they promise in terms of protecting client Manager information. However, security is not equivalent to privacy, and the uses of personal information ©Symantec (Canada) Corp.
  9. 9. Page 9 Implication Symantec’s Solution remains an area of challenge. 4(a) As mentioned above, the challenge for many • Symantec Control Compliance organizations is to simply know if they have had a Suite security issue or not, and if they have, what exactly • Symantec Enterprise Security has happened. Few have the tools to support this Manager type of investigation, requiring considerable manual • Symantec Database Security and effort from IT staff to support audits, and forensics Audit to determine what has happened after a breach. • Symantec Security Information Manager 4(b) It is also the case that many companies regard • Symantec Security Information security as ending with a firewall, assuming that this Manager will stop all threats. Effective security policy is built • Symantec Network Access Control upon the assumption that someone will overcome • Symantec Sygate Enterprise the first line of defence, or that the threat will come Protection from within. • Symantec On Demand Protection • Symantec Database Security and Audit 4(c) Internal threats, rogue employees and criminal • Symantec Sygate Enterprise organizations are part of the corporate landscape, Protection and raises the question about the ability to detect • Symantec On Demand Protection unusual access or behaviour within the organization. • Symantec Database Security and Audit 5(a) Backups are particularly thorny – they are • Symantec Enterprise Vault snapshots of the organization as a whole, taken o Compliance Accelerator repeatedly on a daily, weekly and/or monthly basis. o Discovery Accelerator There are major issues with the management of tapes , their storage and handling, and the ability of organizations to find personal information relevant to a single individual, somewhere in that massive realm of tapes. Use of backups in this fashion is inappropriate; 5(b) Establishing controls over information technology • Symantec Control Compliance has become increasingly important in the area of Suite SOX/Bill 198 compliance, but is only slowly • Symantec Enterprise Security becoming an area of privacy compliance. Payment Manager Card Industry Data Security Standards (PCI-DSS) is • Symantec Database Security and imposing new requirements for protecting credit Audit card data, which will impact privacy protection. However, today few organizations have the tools required to know they have been compromised. 5(c) Content control is something few organizations have • Symantec Mail Security in place, despite the fact that e-mail is the most • Symantec Enterprise Vault common medium for communication today, and the o Compliance Accelerator sheer number of e-mail messages mandates some form of automation to gain effective control. Next time: The Nightmare Letter Part II – “Now, please get rid of my personal information.” ©Symantec (Canada) Corp.