Siskinds, a leading Law Firm in Ontario, presented updates on PIPEDA legislation including what you need to know, and what you need to do in order to ensure your company is compliant.
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
Security, Privacy Data Protection and Perspectives to Counter Cybercrime 0409...Gohsuke Takama
"Security, Privacy Data Protection and Perspectives to Counter Cybercrime" was presented at the CodeGate 2008 security conference in Seoul, Korea, April 2008.
http://www.codegate.org/
Andrew Ford, VP of Sales and Marketing at Next Dimension, discusses how to leverage your IT services partner to build a successful cyber security (and overall business) strategy roadmap.
Many executives are concerned about the security of their data and network infrastructure. Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
What is Information Security and why you should care ...James Mulhern
An interactive introduction to Information Security and Cyber Security for BTEC students studying IT at Swindon College in the UK. The session illustrates the breadth and diversity of the subject and opportunities it can offer. The session illustrates things might not always be as they seem and the impacts can be far more reaching than at first imagined.
The importance of information security nowadaysPECB
Nowadays living without access to the information of interest at any time, any place through countless types
of devices has become unimaginable. However, its security has become more important than information
access itself. In fact today information security rules the world…! Why?
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
Does your organization take credit card information? Do you store personal information on your staff, clients or donors? Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
To do effective data governance, analysts should preview the amount of data their organization is collecting and consider if it is all necessary information to run the business or just “nice to have” data. Today companies are collecting a variety of Personally identifiable information (PII), combining it with location information, and using it to both personalize their own services and to sell to advertisers for behavioral marketing. Data brokers are tracking cell phone applications and insurance companies are installing devices to monitor driving habits. At the same time, however, hackers are embedding malicious software in company computers, opening a virtual door for criminals to rifle through an organization’s valuable personal and financial information.
This presentation explores:
•What company data should be tagged as “sensitive” data?
•Who within the company has access to personal data?
•Is the company breaking any privacy laws by storing PII data?
•Is the data secure from both internal and external hackers?
•What happens if there is an external data breech?
Andrew Ford, VP of Sales and Marketing at Next Dimension, discusses how to leverage your IT services partner to build a successful cyber security (and overall business) strategy roadmap.
Many executives are concerned about the security of their data and network infrastructure. Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
Privacy & Pwnage: Privacy, Data Breaches and Lessons for Security ProsNicholas Van Exan
An overview of some contemporary topics related to privacy and data breaches, with a focus on how security professional can help mitigate privacy risks both before and after data breaches occur.
What is Information Security and why you should care ...James Mulhern
An interactive introduction to Information Security and Cyber Security for BTEC students studying IT at Swindon College in the UK. The session illustrates the breadth and diversity of the subject and opportunities it can offer. The session illustrates things might not always be as they seem and the impacts can be far more reaching than at first imagined.
The importance of information security nowadaysPECB
Nowadays living without access to the information of interest at any time, any place through countless types
of devices has become unimaginable. However, its security has become more important than information
access itself. In fact today information security rules the world…! Why?
How your nonprofit can avoid data breaches and ensure privacyTechSoup Canada
Increasingly, nonprofits hold large quantities of digital assets (such as donor information, grant application details, financial records, etc.). Organizations of all sizes and industries are being targeted by cyber criminals. Cyber-attacks will often devastate an organization’s operations and have significant financial, legal and reputational consequences.
In this webinar, Imran Ahmad of Miller Thomson, LLP will explain how implementing best practices from a pre-breach standpoint can go a long way to mitigate the negative consequences of a cyber-attack.
What you will learn:
- what the cyber threat landscape looks like
- how to ensure privacy of your digital assets
- steps to take in the aftermath of a cyber-attack
Does your organization take credit card information? Do you store personal information on your staff, clients or donors? Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
To do effective data governance, analysts should preview the amount of data their organization is collecting and consider if it is all necessary information to run the business or just “nice to have” data. Today companies are collecting a variety of Personally identifiable information (PII), combining it with location information, and using it to both personalize their own services and to sell to advertisers for behavioral marketing. Data brokers are tracking cell phone applications and insurance companies are installing devices to monitor driving habits. At the same time, however, hackers are embedding malicious software in company computers, opening a virtual door for criminals to rifle through an organization’s valuable personal and financial information.
This presentation explores:
•What company data should be tagged as “sensitive” data?
•Who within the company has access to personal data?
•Is the company breaking any privacy laws by storing PII data?
•Is the data secure from both internal and external hackers?
•What happens if there is an external data breech?
How to Build and Implement your Company's Information Security ProgramFinancial Poise
Data is one of your business’s most valuable assets and requires protection like any other asset. How can you protect your data from unauthorized access or inadvertent disclosure?
An information security program is designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Federal, state, or international law may also require your business to have an information security program in place.
This webinar will provide the basics of how to create and implement an information security program, beginning with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/how-to-build-and-implement-your-companys-information-security-program-2021/
Training innovations information governance slideshare 2015Patrick Doyle
What you will learn in this training:
Principles of Information Governance and their application to health and social care organisations
Accessing Information Governance resources including national legislation, guidance and local policies & procedures
Health and social care organisations’ responsibilities
Protection of an individual’s confidentiality and the Caldicott Principles
How to practice and promote a confidential service
Principles of ensuring and maintaining good client records
Recognising / responding to Freedom of Information requests
Keeping Information Secure
This presentation is prepared by Author for Perbanas Institute as a part of Author Lecture Series. It is to be used for educational and non-commercial purposes only and is not to be changed, altered, or used for any commercial endeavor without the express written permission from Author and/or Perbanas Institute. Appropriate legal action may be taken against any person, organization, or entity attempting to misrepresent, charge, or profit from the educational materials contained here.
Authors are allowed to use their own articles without seeking permission from any person, organization, or entity.
Following the GDPR, the CCPA quickly presented additional and different requirements that organizations must include in their privacy programs if they are subject to the regulation. With more disclosures surrounding personal information required, privacy is not limited to a designated office - stakeholders from various departments must be aware of and take ownership of activities within their functional realms.
Now, more than ever, we are seeing a blend of the privacy and security roles, and it is not uncommon to see Chief Information Security Officers (CISOs) heavily involved in privacy risk activities. Whether it’s taking data inventory and assessing risk to having a rock solid data breach response plan in place, CISOs provide the security component that is critical for a successful CCPA compliance plan.
-The CISOs role in CCPA compliance
-Potential risks to the security and privacy of sensitive information
-Mapping CCPA requirements to security processes and procedures
CYBER SECURITY and DATA PRIVACY 2022_How to Build and Implement your Company'...Financial Poise
Data is one of your business’s most valuable assets and requires protection like any other asset. How can you protect your data from unauthorized access or inadvertent disclosure?
An information security program is designed to protect the confidentiality, integrity, and availability of your company’s data and information technology assets. Federal, state, or international law may also require your business to have an information security program in place.
This webinar will provide the basics of how to create and implement an information security program, beginning with identifying your incident response team, putting applicable insurance policies into place, and closing any gaps in the security of your data.
Part of the webinar series:
CYBERSECURITY & DATA PRIVACY 2022
See more at https://www.financialpoise.com/webinars/
Personal Information Protection and Electronic Documents Act (PIPEDA) and Imp...Michael Sukachev
In this document, private information (PI) handling rules for software systems are based on the PIPEDA principles and guide analysis.
It's recommended to include these rules as high-level requirements to any framework that implements privacy-by-design principals in Canada.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations in Canada. It sets out the ground rules for how businesses must handle personal information in the course of commercial activity.
As privacy and security professionals it's true: we simply can't get enough data on the costs of a data breach. This is primarily driven, of course, by our desire to quantify the risks associated with our profession in terms that organizations can understand and measure. Our quest is complicated, however, by the fact that breach cost data is so hard to come by.
This unique webinar will take data breach analysis to the next level. First we'll define our terms and review of some of the best known, publicly available data breach research. But then, we'll dive into a more detailed, exhaustive, quantitative review of breach data. This will include both case studies of a few seminal data breaches and statistical analysis of data breaches in the aggregate.
Our featured speaker for this timely webinar is Patrick Florer, Co-Founder & CTO of Risk Centric Security. Patrick, who is also a Fellow and Chief Research Analyst at the Ponemon Institute, has decades of experience in risk analysis and analytics and is considered an expert in data breach analysis.
Fasken Law firm discusses the legal rights and responsibilities of Mid Size commercial businesses with respect to Data Privacy and Data Security laws in Canada
Cybersecurity: Protection strategies from Cisco and Next DimensionNext Dimension Inc.
Cisco's presentation on cyber security threats affecting Mid Size Commercial Businesses. Cisco's suite of cyber security solutions will protect your business
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
Chris and Sean from Veeam discuss Availability, Disaster Recovery, and updating records per PIPEDA legislation. Veeam also discusses their solution to ransomware.
Next Dimension and Cisco | Solutions for PIPEDA ComplianceNext Dimension Inc.
Duwayne Watson, a Cisco specialist from Ingram Micro, showcases various Data Security and Protection solutions such as: AMP, Umbrella, and CloudLock. These solutions can help your business remain compliant with PIPEDA legislation.
Robert Mercier, Senior Network Services Lead at Next Dimension, Reviews IIoT and its impact on the Manufacturing sector. He specifically addresses the value of IT/OT convergence; something that is highly valuable for the Automotive Manufacturing space.
Mike Killian from Cisco was in attendance at Next Dimension to discuss IoT, IT/OT Convergence, and all things Smart Manufacturing. This presentation showcases the impact of Smart Manufacturing strategies as implemented across Cisco's supply chain.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Next Dimension and Siskinds PIPEDA Legislation Updates as of November 1 2018
1. Next Dimension
PIPEDA Legislation
WHAT YOU NEED TO KNOW | WHAT YOU NEED TO DO
This presentation does not constitute legal advice, norshould it be construed as such. The opinions expressed herein are
solelymine, and theydo not necessarilyrepresent the views of Siskinds LLP, its partners,associates or affiliates.
2. Bio
Drew is anassociate inSiskinds’Technology,Privacy andFranchise Group. His practice focuses on
providing legal services to businesses involvedin the manufacture anddistributionof goods and
services via franchising,multi-level marketing, andtechnology transfer,development,distributionand
licensing. He advises clients onmatters relatingto cybersecurity,data protection,privacy andanti-
spam, including PIPEDA,Privacy Shield and GDPR compliance.
Practice Areas
Data protection| Cybersecurity | Privacy
Drew Johnson, Technology
and Cyber Security Group
3. What is PIPEDA?
The Personal Information Protection and Electronic Documents Act
(PIPEDA) is the federal privacy law for private-sector organizations. It
sets out the ground rules for how businesses must handle personal
information in the course of their commercial activities.
4. What does PIPEDA apply to?
PIPEDA applies to the collection, use or disclosure of personal
information in the course of a commercial activity.
5. What does PIPEDA not apply to?
Organizations that do not engage in commercial, for-profit activities.
6. Geographic Scope
Unless the personal information crosses provincial or national borders,
PIPEDA does not apply to organizations that operate entirely within:
• Alberta
• British Columbia
• Quebec
7. What is personal information?
Personal information is data about an “identifiable individual”. It is
information that on its own or combined with other pieces of data,
can identify you as an individual.
8. What Does Personal Information Include?
• Age
• Credit card numbers
• Race, national or ethnic origin
• DNA
• Social Insurance number or driver’s license
• Opinions, comments or view about you as an employee
9. What is generally not considered personal
information?
• Information that is not about an individual because the connection to
a person is too weak or far removed (a postal code).
• Information about a business or organization.
• A person’s business contact information.
• Name, title, and place of business.
10. 10 Principles of PIPEDA
The 10 fair information principlesthat businessesmustfollow:
Accountability
IdentifyingPurposes
Consent
Limiting Collection
Limiting Use, Disclosureand Retention
Accuracy
Safeguards
Openness
IndividualAccess
ProvideRecourse
11. 1. Accountability
• Appointment of individual as Chief Privacy Officer.
• Establishment of a “privacy team”.
• Development of policies and procedures for the collection and
protection of personal information.
• Communication to customers/clients of the “go to” person for privacy
matters.
12. 2. Identifying Purposes
• Purpose must be clearly identified.
• Collection must be confined to what is necessary to complete the
purpose.
• Inform of purpose at the time personal information is collected.
• Purposes must be communicated such that individuals will clearly
understand all of the uses to which the information may be put.
13. 3. Consent
• Must be obtained from customers/clients to the collection and use of
their personal information.
• Express v. Implied Consent.
• Sensitivity of information – if the personal information is sensitive in
nature then express consent should be obtained.
14. 4. Limiting Collection
• Only that information that is reasonably necessary to fulfill the stated
purpose may be collected.
• Need to consider carefully whether information that is being collected
is really required for the purposes .
15. 5. Limiting Use, Disclosure and Retention
• Once collected, the information may only be used for the purposes
stated.
• If purposes change, new consent is required.
• If information will be disclosed to third parties, consent must be
obtained.
• Personal information should only be retained for so long as is
reasonably necessary to satisfy the purposes for which it was
collected.
• When purposes are complete, information should be disposed of.
16. 6. Accuracy
• Obligation to keep personal information up to date, complete and
accurate.
• Make corrections as necessary.
17. 7. Safeguards
• Develop and implement a security policy to protect personal
information.
• Consider where and how personal information is stored and who has
access.
• Must be protected against loss, theft and unauthorized access.
• Only those employees who need to make use of personal information
should have access.
Note: PIPEDA does not specify particular security safeguards that must be used. Rather, the onus is
on organizations to ensure that personal information is adequately protected
18. More on Safeguarding….
• Use appropriate security safeguards to provide necessary protection.
• Degree of security to be exercised will depend on a number of
factors.
• Factors to Consider:
• sensitivity
• amount
• extent of distribution
• format
• type of storage
19. 8. Openness
• Employees need to be aware of the policies and the procedures
regarding privacy matters.
• Customers/clients need to be informed of the existence of privacy
policies and what the practices are.
• Communication of rights and responsibilities.
• Responsiveness to customers’ privacy related requests.
20. 9. Individual Access
• Individuals are entitled to review their personal information on
request.
• Corrections may be requested and should be made if appropriate.
• Response within 30 days of request.
21. 10. Challenge Compliance/Provide Recourse
• Development of complaint procedures.
• Should be straight forward and easily accessible.
• Responsiveness to complaints.
• Investigation.
• Corrective measures.
• Satisfaction of individual complainant.
22. Most Common Complaints
• Improper collection, use and/or disclosure of personal information.
• Difficulty obtaining access to personal information.
• Refusal to correct personal information.
• Inadequate safeguards.
23. Your Responsibility as a Business
• Comply with all 10 of the Principles.
• Protect personal information against loss or theft.
• Protect personal information regardless of the format in which it is
held.
• Safeguard the information from unauthorized access, disclosure,
copying, use or modification.
25. A breach of security safeguards is defined in
PIPEDA as:
• the loss of,
• unauthorized access to or
• unauthorized disclosure
of personal information resulting from a breach of an organization’s security
safeguards, or from a failure to establish those safeguards.
26. Duty to report to OPC - RROSH
PIPEDA requires you to report to the Office of the Privacy
Commissioner any breach of security safeguards involving personal
information under your control if it is reasonable in the circumstances
to believe that the breach of security safeguards creates a real risk of
significant harm to an individual.
27. Significant Harm
Significant harm includes:
• bodily harm,
• humiliation,
• damage to reputation or relationships,
• loss of employment,
• business or professional opportunities,
• financial loss,
• identity theft,
• negative effects on the credit record and
• damage to or loss of property.
28. Relevant Factors - RROSH
Factors that are relevant to determining whether a breach of security
safeguards creates a real risk of significant harm include:
• the sensitivity of the personal information and
• the probability the personal information has been/is/will be misused.
29. Sensitivity
PIPEDA does not define sensitivity.
Although some information (for example, medical records and income
records) is almost always considered to be sensitive, any information
can be sensitive, depending on the context.
• Names and addresses of subscribers to a newsmagazine would
generally not be considered sensitive information.
• Names and addresses of subscribers to some special-interest
magazines might be considered sensitive.
30. Circumstances
Following a breach, to determine sensitivity, it is therefore important to
examine both what personal information has been breached and the
circumstances.
• Certain information may on its face be clearly sensitive. Other
information may not be.
• The circumstancesof the breach may make the information more or
less sensitive. The potential harms that could accrue to an individual
are also an important factor.
31. Probability of Misuse
Several questions you need to consider:
• What happenedand how likely is it that someone would be harmed by the
breach?
• Who actuallyaccessedor could have accessed the personal information?
• How long has the personal informationbeen exposed?
• Is there evidence of maliciousintent (e.g., theft, hacking)?
• Were a number of pieces of personal informationbreached?
• Is the breached informationin the hands of an individual/entity that
represents a reputationrisk to the individual(s)in and of itself?
• Was the informationexposed to limited/knownentities who have
committed to destroy and not disclosethe data?
33. Timing of Report to the OPC
As soon as feasible after determination that the breach has occurred.
34. Notification to Individual
You must notify an individual of any breach of security safeguards
involving the individual’s personal information under your control if it is
reasonable in the circumstances to believe that the breach creates a
real risk of significant harm to the individual.
35. Contents of Notification
The notification must contain sufficient information to allow the
individual to understand the significance to them of the breach and to
take steps, if any are possible, to reduce the risk of harm that could
result from it or to mitigate that harm
36. Form and Manner of Notice
The notification must be conspicuous and shall be given directly to the
individual in the prescribed form and manner.
37. Notification to Organizations
If you notify an individual of a breach of security safeguards, you must
also notify any other organization or government institution of the
breach if you believe that the other organization or the government
institution may be able to reduce the risk of harm that could result
from it or mitigate that harm.
38. Time to Give Notification to Individuals and
Organizations
The notification must be given as soon as feasible after the organization
determines that the breach has occurred.
40. Maintenance of Records
You must keep and maintain a record of every breach of security
safeguards involving personal information under your control.
41. Access by the OPC
You must, on request, provide the Commissioner with access to, or a
copy of, a record.
43. It is an offence to:
• Fail to comply with breach notification requirements.
• Fail to maintain a record of breaches of security safeguards.
• Destroy personal information that an individual has requested.
• Obstruct a complaint investigation or audit by the Commissioner or
their delegate.
45. What is an Incident Response Plan?
The IRP is the keystone internal policy necessary to help an
organization detect and react to computer security incidents,
determine their scope and risk, respond appropriately to the incident,
communicate the results and risk to all stakeholders, and reduce the
likelihood of the incident from reoccurring.
46. Why Does an Organization Need an IRP?
An IRP is necessary policy to respond to a data incident in a timely manner, reducing reputational
damage and potential liability.
• The number of publicly disclosed data breaches rose by almost 50% in 2017 over 2016.*
• 61 percent of breach victims in 2017 were businesses with under 1,000 employees.*
• By responding quickly to and containing a data breach, companies average a savings of over
$1 million.*
Source:
1. IdentityTheftResource Centre 2017 Annual Data Breach Year-End Review
2. 2017 VerizonData Breach InvestigationsReport
3. 2018 Cost of a Data Breach Studyby Ponemon
47. What is Included in an IRP?
• A list of the members of the Incident Response Team (IRT);
• Roles and responsibilities for the members of the IRT;
• A list of critical network and data recovery processes;
• A list of the tools, technologies, and resources available to assist
the response; and,
• A business continuity plan.
48. Legal Counsel and the IRP
An organization’s ability to keep cybersecurity efforts privileged is
stronger where the organization has taken each of these steps:
• Follow counsel’s directions for action;
• Set clear rules regarding communication; and
• Hire and manage outside vendors through counsel.
49. Disclosure of Data Incidents
Important role of legal counsel is to provide an organization with advice
on disclosure obligations and in drafting appropriate communications.
Following a data security incident, there are various disclosure and
reporting obligations imposed on organizations.
50. How Often Should IRP Training Occur?
An IRP is useless unless all of the members the IRT understand it and are able
to implement it.
Beyond the IRT, all members of your staffare your front line against a data
security incident and should understand the importance of the IRP and full
cooperation with the IRT in identifying and rectifying a data incident.
Ongoing cyber-securitytraining for staffand annual or semi-annual tabletop
exercises for issue identificationand rectificationby the IRT are critical tothe
effectiveimplementationof the IRP and reducing liability.
51. Can the IRP Stand on Its Own?
Privacy-by-designis no longer a buzzword.
• PrivacyPolicy;
• Terms of Use;
• Mobile Device Policy;
• AcceptableUse and Social Media Policy;
• PasswordPolicy;
• Physical Security Policy;
• Security InfrastructurePolicy;
• Data Protection Policy; and,
• Disaster Recovery/BusinessContinuity Plan.
52. Contact Us
PeterDillon,
Headof Technology andCybersecurity
Group
Email: peter.dillon@siskinds.com
Phone: 519-660-7818
Drew Johnson
Technology andCybersecurity Group
Email: andrew.Johnson@siskinds.com
Phone: 519-660-7848
Stacey Bothwell
Business, Technology andCybersecurity
Group
Email: stacey.bothwell@siskinds.com
Phone: 519-660-7792