SlideShare una empresa de Scribd logo

Privacy Access Letter I Feb 5 07

Constantine Karbaliotis
Constantine Karbaliotis
TecnologíaNoticias y política
1 de 9
Descargar para leer sin conexión
“Dear Privacy Officer” – the Nightmare Letter (Part I) Constantine Karbaliotis, LL.B., CIPP12 Introduction Canada does not currently have a general law requiring notification of personal information breaches however, under PIPEDA and Canadian provincial privacy legislation, individuals are afforded the right to ask businesses that have collected from customer’s personal information, what is known about them. In light of recent security failures affecting millions of Canadian credit card holders3, companies would do well to consider the possibility that such laws might soon be introduced. At minimum, they should expect individuals will exercise their “right to know” more vigorously and will seek to understand corporate privacy and security measures intended to protect personal information. There have been a number of warnings that privacy is not very well understood or protected by retailers. A study produced last year4 indicates a general failure on behalf of retailers to adequately understand or deal with accountability, openness, access and consent. The capacity of retailers to safeguard personal information, or even know if a breach has occurred, is also suspect. These events also highlight the likelihood that there are many more unreported events affecting Canadians. While Canada does not have a mandatory notification of privacy breaches, except under Ontario’s Personal Health Information Protection Act (PHIPA), it has been held by the western Privacy Commissioners that a moral, if not legal, duty to 1 Canadian Senior Compliance Business Specialist, Symantec (Canada) Corporation 2 This is intended to provide commentary on legal issues and how technology can be used to support compliance. It is not intended, and should not be relied upon, to provide legal advice in any particular factual circumstance as individual situations will differ and should be discussed with a lawyer 3 http://www.cbc.ca/money/story/2007/01/18/winnersbreach.html 4 “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006), www.cippic.ca ©Symantec (Canada) Corp. February 5, 2007
Page 2 notify exists under the ‘safeguarding’ principle5. Companies have a duty to safeguard personal information, and if a breach occurs, this duty is extended to taking steps to mitigate the harm caused by a breach. Principles relating to Safeguarding and Access Given the public’s knowledge on the occurrence of privacy breaches brought about by reports in the media, and in fact may be underreported, companies should be prepared for Canadians’ exercising their right to inquire not only what an organization knows about them, but whether their personal information is at risk or has been exposed. Principle 9 of the Canadian Standards Association Privacy Principles, incorporated into PIPEDA as a schedule, states as follows: 9. Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Also relevant are the following principles: 1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. 7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. Openness An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals. 10. Challenging Compliance 5 “Approaches to Security Breach Notification: A White Paper”, The Canadian Internet Policy and Public Interest Clinic (CIPPIC) (January 9, 2007), pp. 3, 5. ©Symantec (Canada) Corp.
Page 3 An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. An elaboration of the 8th principle in the Schedule provides as follows: 4.8.1 Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. Policy represents high-level statements, goals for the organization, and are often found in documents that outline corporate security policies, which may be based on standards such as ISO 17799. Practices, in this context, are how the policies are implemented, and are more at the level of IT controls designed to ensure that the policies are carried out through technological means. These access rights may bring about broader questions than merely “what do you know about me?” From the retailer’s standpoint, simply relaying principle seven and the other principles contained in PIPEDA does little more than restate legal obligation6 and is therefore, meaningless. A company does not have to disclose so much detail that it would put at risk the personal information they are obliged to protect. However, responding to a customer’s request about how their personal information is safeguarded should provide sufficient detail to satisfy them that their information has in fact been protected by safeguards that are appropriate to the sensitivity of the data. 6 “A common variation of the themes set out above is for companies to merely restate their legal requirements under PIPEDA rather than explaining their own data management practices in detail.” “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006) at page 39. ©Symantec (Canada) Corp.
Page 4 Organizations would do well to be prepared for the receipt of the ‘nightmare access letter7,’ from an irate consumer who knows a little too much about privacy and information technology. The following is an example of the access letter and is offered as a tool for C-level executives on the forefront of dealing with privacy breach fallout. Of course, only a finding from a privacy commissioner would determine whether this letter would have to be answered if received by a company. It may be that some points may be considered as asking for too much in an access request. I would suggest that this letter is premised upon the principles set out above, and the right to be informed of personal information policies and procedures. In any case, a positive use of this letter for executives concerned about their privacy policies would be to send it to their own organization, and treat it a real letter from a customer. This would serve as a test of company’s compliance and security teams’ capability to respond to this type of request – a privacy ‘vulnerability’ test. This will provide insight on not only the ability to answer privacy access requests, but also highlight corporate data handling issues that can grow into privacy breaches. The Nightmare Letter for Access Dear Sir/Madam: I am writing to you in your capacity as privacy officer for your company. I am a customer of yours, and in light of recent events, I am making this request for access to personal information pursuant to principles 1, 7, 8, 9 and 10 of Schedule 1 of the 7 Points 1 through 3 are based upon the template letter contained in the publication “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006) at page 67. The items contained in 4(a) are based upon the proposed format of 7 breach notification contained in “Approaches to Security Breach Notification: A White Paper”, The Canadian Internet Policy and Public Interest Clinic (CIPPIC) (January 9, 2007), p 27. ©Symantec (Canada) Corp.
Page 5 Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). I am very concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to principal 7. I would like you to be aware at the outset, that I anticipate reply to my request within 30 days as required by s. 8(3) of PIPEDA, failing which I will be forwarding my inquiry with a letter of complaint to the Federal Privacy Commissioner’s Office. Please advise as to the following: 1. Please provide me with a copy of all specific personal information you have about me in your files and databases. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store. 2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of this information. 3. Please provide a list of all companies with whom you have (or may have) shared my information. If you cannot identify with certainty the specific companies to whom you have disclosed my information, please provide a list of companies to whom you may have disclosed information about me. 4. I would like to know whether or not my personal information has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach. ©Symantec (Canada) Corp.
Page 6 a. If so, please advise as to the following details of each and any such breach: i. a general description of what occurred; ii. the date and time of the breach (or the best possible estimate); iii. the date and time the breach was discovered; iv. the source of the breach (either your own organization, or a third party to whom you have transferred my personal information); v. details of my personal information that was disclosed; vi. your company’s assessment of the risk of identity fraud to myself, as a result of the breach; vii. a description of the measures taken or that will be taken to prevent further unauthorized access to my personal information; viii. contact information for so that I can obtain more information and assistance in relation to such a breach, and ix. information and advice on what I can do to protect myself against identity theft and fraud. b. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as: i. Encryption of my personal information; ©Symantec (Canada) Corp.
Page 7 ii. Data minimization strategies; or, iii. Any other means c. Please advise if you have had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal information inappropriately, or if you are unable to determine this, of any customers, in the past twelve months. 5. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal information, such as whether you adhere to ISO17799 for information security, and more particularly, your practices in relation to the following: a. Please inform me whether you have backed up my personal information to tape or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal information from loss or theft, and whether this includes encryption. b. Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal information has been disclosed, including but not limited to the following: i. Intrusion detection systems; ii. Firewall technologies; iii. Access and identity management technologies; iv. Database audit and/or security tools; or, ©Symantec (Canada) Corp.
Page 8 v. Behavioural analysis tools, log analysis tools, or audit tools; c. Please also advise what technologies or business procedures you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal information outside your company, through e-mail, web mail or instant messaging, or otherwise. Yours Sincerely, I. Rate Symantec Solutions What does this mean for your organization? Keep in mind that in order to address these concerns, no software solution is by itself complete. The goal for implementing compliance solutions is to understand the problem in the context of your business, to build the appropriate foundations within the company to support a culture of compliance, and to support these efforts with appropriate tools, such as set out below. Implication Symantec’s Solution 1 Most organizations have a limited ability to find • Symantec Enterprise Vault what they know about an individual. Information is not often in structured databases; in fact the majority of information today is in unstructured forms such as e-mails, documents on file servers and on individual machines, even in voice mail systems. 2 Similarly, few organizations can actually know how • Symantec Bindview Policy the personal information they collect is being used, Manager or limit use to the terms on which it was collected – based upon the consent of the individuals, and the stated privacy policy at the time of collection. 3 Increasingly, organizations are relying on their • Symantec Control Compliance contracts to impose standards – and audits – on Suite their subcontractors, to ensure that they are doing • Symantec Enterprise Security what they promise in terms of protecting client Manager information. However, security is not equivalent to privacy, and the uses of personal information ©Symantec (Canada) Corp.
Page 9 Implication Symantec’s Solution remains an area of challenge. 4(a) As mentioned above, the challenge for many • Symantec Control Compliance organizations is to simply know if they have had a Suite security issue or not, and if they have, what exactly • Symantec Enterprise Security has happened. Few have the tools to support this Manager type of investigation, requiring considerable manual • Symantec Database Security and effort from IT staff to support audits, and forensics Audit to determine what has happened after a breach. • Symantec Security Information Manager 4(b) It is also the case that many companies regard • Symantec Security Information security as ending with a firewall, assuming that this Manager will stop all threats. Effective security policy is built • Symantec Network Access Control upon the assumption that someone will overcome • Symantec Sygate Enterprise the first line of defence, or that the threat will come Protection from within. • Symantec On Demand Protection • Symantec Database Security and Audit 4(c) Internal threats, rogue employees and criminal • Symantec Sygate Enterprise organizations are part of the corporate landscape, Protection and raises the question about the ability to detect • Symantec On Demand Protection unusual access or behaviour within the organization. • Symantec Database Security and Audit 5(a) Backups are particularly thorny – they are • Symantec Enterprise Vault snapshots of the organization as a whole, taken o Compliance Accelerator repeatedly on a daily, weekly and/or monthly basis. o Discovery Accelerator There are major issues with the management of tapes , their storage and handling, and the ability of organizations to find personal information relevant to a single individual, somewhere in that massive realm of tapes. Use of backups in this fashion is inappropriate; 5(b) Establishing controls over information technology • Symantec Control Compliance has become increasingly important in the area of Suite SOX/Bill 198 compliance, but is only slowly • Symantec Enterprise Security becoming an area of privacy compliance. Payment Manager Card Industry Data Security Standards (PCI-DSS) is • Symantec Database Security and imposing new requirements for protecting credit Audit card data, which will impact privacy protection. However, today few organizations have the tools required to know they have been compromised. 5(c) Content control is something few organizations have • Symantec Mail Security in place, despite the fact that e-mail is the most • Symantec Enterprise Vault common medium for communication today, and the o Compliance Accelerator sheer number of e-mail messages mandates some form of automation to gain effective control. Next time: The Nightmare Letter Part II – “Now, please get rid of my personal information.” ©Symantec (Canada) Corp.

Recomendados

Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Constantine Karbaliotis
 
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Constantine Karbaliotis
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non experts
Claudio Bolla, CISM
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protection
MRS
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 

Recomendados

Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Constantine Karbaliotis
 
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Constantine Karbaliotis
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non experts
Claudio Bolla, CISM
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protection
MRS
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
Jessvin Thomas
 
General Data Protection Regulation for Ops
General Data Protection Regulation for OpsGeneral Data Protection Regulation for Ops
General Data Protection Regulation for Ops
Kamil Rextin
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
Zoodikers
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
Fahad Ameen
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Anitafin
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
RAKESH S
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
IISPEastMids
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
Joseph V. Moreno
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
Morris Dorfer
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
Matthias Dobbelaere-Welvaert
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
Martin Hawksey
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
 
Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
Data Breaches
Data BreachesData Breaches
Data Breaches
sstose
 

Más contenido relacionado

La actualidad más candente

Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Financial Poise
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 

La actualidad más candente (19)

GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
General Data Protection Regulation for Ops
General Data Protection Regulation for OpsGeneral Data Protection Regulation for Ops
General Data Protection Regulation for Ops
 
Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)Getting to grips with General Data Protection Regulation (GDPR)
Getting to grips with General Data Protection Regulation (GDPR)
 
General data protection regulation
General data protection regulationGeneral data protection regulation
General data protection regulation
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...Introduction to US Privacy and Data Security Regulations and Requirements (Se...
Introduction to US Privacy and Data Security Regulations and Requirements (Se...
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)EU GDPR(general data protection regulation)
EU GDPR(general data protection regulation)
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.GDPR: the legal aspects. By Matthias of theJurists Europe.
GDPR: the legal aspects. By Matthias of theJurists Europe.
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 

Similar a Privacy Access Letter I Feb 5 07

Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
canadianlawyer
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
 
Data Breaches
Data BreachesData Breaches
Data Breaches
sstose
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
Financial Poise
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Financial Poise
 

Similar a Privacy Access Letter I Feb 5 07 (20)

Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009Privacy Breaches In Canada It.Can May 1 2009
Privacy Breaches In Canada It.Can May 1 2009
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Data Breaches
Data BreachesData Breaches
Data Breaches
 
Privacy Needs to be Personal
Privacy Needs to be PersonalPrivacy Needs to be Personal
Privacy Needs to be Personal
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
CSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local GovernmentCSMFO 2012 Data Privacy in Local Government
CSMFO 2012 Data Privacy in Local Government
 
Golden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacyGolden Gekko, 10 burning questions on privacy
Golden Gekko, 10 burning questions on privacy
 
The principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - ukThe principles of the Data Protection Act in detail - uk
The principles of the Data Protection Act in detail - uk
 
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary KibelManaging Privacy Maximizing Data In Affiliate Marketing Gary Kibel
Managing Privacy Maximizing Data In Affiliate Marketing Gary Kibel
 
data-privacy-egypt-what-you-need-know-en.pdf
data-privacy-egypt-what-you-need-know-en.pdfdata-privacy-egypt-what-you-need-know-en.pdf
data-privacy-egypt-what-you-need-know-en.pdf
 
Introduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and RequirementsIntroduction to US Privacy and Data Security: Regulations and Requirements
Introduction to US Privacy and Data Security: Regulations and Requirements
 
2014-04-16 Protection of Personal Information Act Readiness Workshop
2014-04-16 Protection of Personal Information Act Readiness Workshop2014-04-16 Protection of Personal Information Act Readiness Workshop
2014-04-16 Protection of Personal Information Act Readiness Workshop
 
Can we ask that
Can we ask thatCan we ask that
Can we ask that
 
Challenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in MexicoChallenges to Achieve Privacy for Online Consumers in Mexico
Challenges to Achieve Privacy for Online Consumers in Mexico
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Data Breach White Paper
Data Breach White PaperData Breach White Paper
Data Breach White Paper
 
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
Cybersecurity & Data Privacy 2020 - Introduction to US Privacy and Data Secur...
 
Information Privacy
Information PrivacyInformation Privacy
Information Privacy
 
Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0
 
2014-09-18 Protection of Personal Information Act readiness workshop
2014-09-18 Protection of Personal Information Act readiness workshop2014-09-18 Protection of Personal Information Act readiness workshop
2014-09-18 Protection of Personal Information Act readiness workshop
 

Más de Constantine Karbaliotis

Más de Constantine Karbaliotis (7)

Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
 
International Perspectives on Data Breach
International Perspectives on Data BreachInternational Perspectives on Data Breach
International Perspectives on Data Breach
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Update on enterprise social media risks
Update on enterprise social media risks Update on enterprise social media risks
Update on enterprise social media risks
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Privacy Access Letter I Feb 5 07

  • 1. “Dear Privacy Officer” – the Nightmare Letter (Part I) Constantine Karbaliotis, LL.B., CIPP12 Introduction Canada does not currently have a general law requiring notification of personal information breaches however, under PIPEDA and Canadian provincial privacy legislation, individuals are afforded the right to ask businesses that have collected from customer’s personal information, what is known about them. In light of recent security failures affecting millions of Canadian credit card holders3, companies would do well to consider the possibility that such laws might soon be introduced. At minimum, they should expect individuals will exercise their “right to know” more vigorously and will seek to understand corporate privacy and security measures intended to protect personal information. There have been a number of warnings that privacy is not very well understood or protected by retailers. A study produced last year4 indicates a general failure on behalf of retailers to adequately understand or deal with accountability, openness, access and consent. The capacity of retailers to safeguard personal information, or even know if a breach has occurred, is also suspect. These events also highlight the likelihood that there are many more unreported events affecting Canadians. While Canada does not have a mandatory notification of privacy breaches, except under Ontario’s Personal Health Information Protection Act (PHIPA), it has been held by the western Privacy Commissioners that a moral, if not legal, duty to 1 Canadian Senior Compliance Business Specialist, Symantec (Canada) Corporation 2 This is intended to provide commentary on legal issues and how technology can be used to support compliance. It is not intended, and should not be relied upon, to provide legal advice in any particular factual circumstance as individual situations will differ and should be discussed with a lawyer 3 http://www.cbc.ca/money/story/2007/01/18/winnersbreach.html 4 “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006), www.cippic.ca ©Symantec (Canada) Corp. February 5, 2007
  • 2. Page 2 notify exists under the ‘safeguarding’ principle5. Companies have a duty to safeguard personal information, and if a breach occurs, this duty is extended to taking steps to mitigate the harm caused by a breach. Principles relating to Safeguarding and Access Given the public’s knowledge on the occurrence of privacy breaches brought about by reports in the media, and in fact may be underreported, companies should be prepared for Canadians’ exercising their right to inquire not only what an organization knows about them, but whether their personal information is at risk or has been exposed. Principle 9 of the Canadian Standards Association Privacy Principles, incorporated into PIPEDA as a schedule, states as follows: 9. Individual Access Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Also relevant are the following principles: 1. Accountability An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles. 7. Safeguards Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. 8. Openness An organization shall make specific information about its policies and practices relating to the management of personal information readily available to individuals. 10. Challenging Compliance 5 “Approaches to Security Breach Notification: A White Paper”, The Canadian Internet Policy and Public Interest Clinic (CIPPIC) (January 9, 2007), pp. 3, 5. ©Symantec (Canada) Corp.
  • 3. Page 3 An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. An elaboration of the 8th principle in the Schedule provides as follows: 4.8.1 Organizations shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about an organization’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable. Policy represents high-level statements, goals for the organization, and are often found in documents that outline corporate security policies, which may be based on standards such as ISO 17799. Practices, in this context, are how the policies are implemented, and are more at the level of IT controls designed to ensure that the policies are carried out through technological means. These access rights may bring about broader questions than merely “what do you know about me?” From the retailer’s standpoint, simply relaying principle seven and the other principles contained in PIPEDA does little more than restate legal obligation6 and is therefore, meaningless. A company does not have to disclose so much detail that it would put at risk the personal information they are obliged to protect. However, responding to a customer’s request about how their personal information is safeguarded should provide sufficient detail to satisfy them that their information has in fact been protected by safeguards that are appropriate to the sensitivity of the data. 6 “A common variation of the themes set out above is for companies to merely restate their legal requirements under PIPEDA rather than explaining their own data management practices in detail.” “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006) at page 39. ©Symantec (Canada) Corp.
  • 4. Page 4 Organizations would do well to be prepared for the receipt of the ‘nightmare access letter7,’ from an irate consumer who knows a little too much about privacy and information technology. The following is an example of the access letter and is offered as a tool for C-level executives on the forefront of dealing with privacy breach fallout. Of course, only a finding from a privacy commissioner would determine whether this letter would have to be answered if received by a company. It may be that some points may be considered as asking for too much in an access request. I would suggest that this letter is premised upon the principles set out above, and the right to be informed of personal information policies and procedures. In any case, a positive use of this letter for executives concerned about their privacy policies would be to send it to their own organization, and treat it a real letter from a customer. This would serve as a test of company’s compliance and security teams’ capability to respond to this type of request – a privacy ‘vulnerability’ test. This will provide insight on not only the ability to answer privacy access requests, but also highlight corporate data handling issues that can grow into privacy breaches. The Nightmare Letter for Access Dear Sir/Madam: I am writing to you in your capacity as privacy officer for your company. I am a customer of yours, and in light of recent events, I am making this request for access to personal information pursuant to principles 1, 7, 8, 9 and 10 of Schedule 1 of the 7 Points 1 through 3 are based upon the template letter contained in the publication “Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public Interest Clinic (April 2006) at page 67. The items contained in 4(a) are based upon the proposed format of 7 breach notification contained in “Approaches to Security Breach Notification: A White Paper”, The Canadian Internet Policy and Public Interest Clinic (CIPPIC) (January 9, 2007), p 27. ©Symantec (Canada) Corp.
  • 5. Page 5 Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). I am very concerned that your company’s information practices may be putting my personal information at undue risk of exposure or in fact has breached its obligation to safeguard my personal information pursuant to principal 7. I would like you to be aware at the outset, that I anticipate reply to my request within 30 days as required by s. 8(3) of PIPEDA, failing which I will be forwarding my inquiry with a letter of complaint to the Federal Privacy Commissioner’s Office. Please advise as to the following: 1. Please provide me with a copy of all specific personal information you have about me in your files and databases. In particular, please tell me what you know about me in your information systems, whether or not contained in databases, and including e-mail, documents on your networks, or voice or other media that you may store. 2. Please provide me with a detailed accounting of the specific uses that you have made, are making, or will be making of this information. 3. Please provide a list of all companies with whom you have (or may have) shared my information. If you cannot identify with certainty the specific companies to whom you have disclosed my information, please provide a list of companies to whom you may have disclosed information about me. 4. I would like to know whether or not my personal information has been disclosed inadvertently by your company in the past, or as a result of a security or privacy breach. ©Symantec (Canada) Corp.
  • 6. Page 6 a. If so, please advise as to the following details of each and any such breach: i. a general description of what occurred; ii. the date and time of the breach (or the best possible estimate); iii. the date and time the breach was discovered; iv. the source of the breach (either your own organization, or a third party to whom you have transferred my personal information); v. details of my personal information that was disclosed; vi. your company’s assessment of the risk of identity fraud to myself, as a result of the breach; vii. a description of the measures taken or that will be taken to prevent further unauthorized access to my personal information; viii. contact information for so that I can obtain more information and assistance in relation to such a breach, and ix. information and advice on what I can do to protect myself against identity theft and fraud. b. If you are not able to state with any certainty whether such an exposure has taken place, through the use of appropriate technologies, please advise what mitigating steps you have taken, such as: i. Encryption of my personal information; ©Symantec (Canada) Corp.
  • 7. Page 7 ii. Data minimization strategies; or, iii. Any other means c. Please advise if you have had any circumstances in which employees or contractors have been dismissed, and/or been charged under criminal laws for accessing my personal information inappropriately, or if you are unable to determine this, of any customers, in the past twelve months. 5. I would like to know your information policies and standards that you follow in relation to the safeguarding of my personal information, such as whether you adhere to ISO17799 for information security, and more particularly, your practices in relation to the following: a. Please inform me whether you have backed up my personal information to tape or other media, and where it is stored and how it is secured, including what steps you have taken to protect my personal information from loss or theft, and whether this includes encryption. b. Please also advise whether you have in place any technology which allows you with reasonable certainty to know whether or not my personal information has been disclosed, including but not limited to the following: i. Intrusion detection systems; ii. Firewall technologies; iii. Access and identity management technologies; iv. Database audit and/or security tools; or, ©Symantec (Canada) Corp.
  • 8. Page 8 v. Behavioural analysis tools, log analysis tools, or audit tools; c. Please also advise what technologies or business procedures you have to ensure that individuals within your organization will be monitored to ensure that they do not deliberately or inadvertently disclose personal information outside your company, through e-mail, web mail or instant messaging, or otherwise. Yours Sincerely, I. Rate Symantec Solutions What does this mean for your organization? Keep in mind that in order to address these concerns, no software solution is by itself complete. The goal for implementing compliance solutions is to understand the problem in the context of your business, to build the appropriate foundations within the company to support a culture of compliance, and to support these efforts with appropriate tools, such as set out below. Implication Symantec’s Solution 1 Most organizations have a limited ability to find • Symantec Enterprise Vault what they know about an individual. Information is not often in structured databases; in fact the majority of information today is in unstructured forms such as e-mails, documents on file servers and on individual machines, even in voice mail systems. 2 Similarly, few organizations can actually know how • Symantec Bindview Policy the personal information they collect is being used, Manager or limit use to the terms on which it was collected – based upon the consent of the individuals, and the stated privacy policy at the time of collection. 3 Increasingly, organizations are relying on their • Symantec Control Compliance contracts to impose standards – and audits – on Suite their subcontractors, to ensure that they are doing • Symantec Enterprise Security what they promise in terms of protecting client Manager information. However, security is not equivalent to privacy, and the uses of personal information ©Symantec (Canada) Corp.
  • 9. Page 9 Implication Symantec’s Solution remains an area of challenge. 4(a) As mentioned above, the challenge for many • Symantec Control Compliance organizations is to simply know if they have had a Suite security issue or not, and if they have, what exactly • Symantec Enterprise Security has happened. Few have the tools to support this Manager type of investigation, requiring considerable manual • Symantec Database Security and effort from IT staff to support audits, and forensics Audit to determine what has happened after a breach. • Symantec Security Information Manager 4(b) It is also the case that many companies regard • Symantec Security Information security as ending with a firewall, assuming that this Manager will stop all threats. Effective security policy is built • Symantec Network Access Control upon the assumption that someone will overcome • Symantec Sygate Enterprise the first line of defence, or that the threat will come Protection from within. • Symantec On Demand Protection • Symantec Database Security and Audit 4(c) Internal threats, rogue employees and criminal • Symantec Sygate Enterprise organizations are part of the corporate landscape, Protection and raises the question about the ability to detect • Symantec On Demand Protection unusual access or behaviour within the organization. • Symantec Database Security and Audit 5(a) Backups are particularly thorny – they are • Symantec Enterprise Vault snapshots of the organization as a whole, taken o Compliance Accelerator repeatedly on a daily, weekly and/or monthly basis. o Discovery Accelerator There are major issues with the management of tapes , their storage and handling, and the ability of organizations to find personal information relevant to a single individual, somewhere in that massive realm of tapes. Use of backups in this fashion is inappropriate; 5(b) Establishing controls over information technology • Symantec Control Compliance has become increasingly important in the area of Suite SOX/Bill 198 compliance, but is only slowly • Symantec Enterprise Security becoming an area of privacy compliance. Payment Manager Card Industry Data Security Standards (PCI-DSS) is • Symantec Database Security and imposing new requirements for protecting credit Audit card data, which will impact privacy protection. However, today few organizations have the tools required to know they have been compromised. 5(c) Content control is something few organizations have • Symantec Mail Security in place, despite the fact that e-mail is the most • Symantec Enterprise Vault common medium for communication today, and the o Compliance Accelerator sheer number of e-mail messages mandates some form of automation to gain effective control. Next time: The Nightmare Letter Part II – “Now, please get rid of my personal information.” ©Symantec (Canada) Corp.