Más contenido relacionado
La actualidad más candente (19)
Similar a Privacy Access Letter I Feb 5 07 (20)
Más de Constantine Karbaliotis (7)
Privacy Access Letter I Feb 5 07
- 1. “Dear Privacy Officer” – the Nightmare Letter (Part I)
Constantine Karbaliotis, LL.B., CIPP12
Introduction
Canada does not currently have a general law requiring notification of personal
information breaches however, under PIPEDA and Canadian provincial privacy legislation,
individuals are afforded the right to ask businesses that have collected from customer’s
personal information, what is known about them. In light of recent security failures
affecting millions of Canadian credit card holders3, companies would do well to consider
the possibility that such laws might soon be introduced. At minimum, they should expect
individuals will exercise their “right to know” more vigorously and will seek to understand
corporate privacy and security measures intended to protect personal information.
There have been a number of warnings that privacy is not very well understood or
protected by retailers. A study produced last year4 indicates a general failure on behalf of
retailers to adequately understand or deal with accountability, openness, access and
consent. The capacity of retailers to safeguard personal information, or even know if a
breach has occurred, is also suspect.
These events also highlight the likelihood that there are many more unreported events
affecting Canadians. While Canada does not have a mandatory notification of privacy
breaches, except under Ontario’s Personal Health Information Protection Act (PHIPA), it
has been held by the western Privacy Commissioners that a moral, if not legal, duty to
1
Canadian Senior Compliance Business Specialist, Symantec (Canada) Corporation
2
This is intended to provide commentary on legal issues and how technology can be used to support
compliance. It is not intended, and should not be relied upon, to provide legal advice in any particular
factual circumstance as individual situations will differ and should be discussed with a lawyer
3
http://www.cbc.ca/money/story/2007/01/18/winnersbreach.html
4
“Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet
Policy and Public Interest Clinic (April 2006), www.cippic.ca
©Symantec (Canada) Corp. February 5, 2007
- 2. Page 2
notify exists under the ‘safeguarding’ principle5. Companies have a duty to safeguard
personal information, and if a breach occurs, this duty is extended to taking steps to
mitigate the harm caused by a breach.
Principles relating to Safeguarding and Access
Given the public’s knowledge on the occurrence of privacy breaches brought about by
reports in the media, and in fact may be underreported, companies should be prepared for
Canadians’ exercising their right to inquire not only what an organization knows about
them, but whether their personal information is at risk or has been exposed. Principle 9 of
the Canadian Standards Association Privacy Principles, incorporated into PIPEDA as a
schedule, states as follows:
9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his
or her personal information, and shall be given access to that information. An individual
shall be able to challenge the accuracy and completeness of the information and have it
amended as appropriate.
Also relevant are the following principles:
1. Accountability
An organization is responsible for personal information under its control and shall
designate an individual or individuals who are accountable for the organization's
compliance with the following principles.
7. Safeguards
Personal information shall be protected by security safeguards appropriate to the
sensitivity of the information.
8. Openness
An organization shall make specific information about its policies and practices
relating to the management of personal information readily available to individuals.
10. Challenging Compliance
5
“Approaches to Security Breach Notification: A White Paper”, The Canadian Internet Policy and Public
Interest Clinic (CIPPIC) (January 9, 2007), pp. 3, 5.
©Symantec (Canada) Corp.
- 3. Page 3
An individual shall be able to address a challenge concerning compliance with the
above principles to the designated individual or individuals accountable for the
organization's compliance.
An elaboration of the 8th principle in the Schedule provides as follows:
4.8.1
Organizations shall be open about their policies and practices with respect to the
management of personal information. Individuals shall be able to acquire information
about an organization’s policies and practices without unreasonable effort. This
information shall be made available in a form that is generally understandable.
Policy represents high-level statements, goals for the organization, and are often found in
documents that outline corporate security policies, which may be based on standards such
as ISO 17799. Practices, in this context, are how the policies are implemented, and are
more at the level of IT controls designed to ensure that the policies are carried out through
technological means.
These access rights may bring about broader questions than merely “what do you know
about me?” From the retailer’s standpoint, simply relaying principle seven and the other
principles contained in PIPEDA does little more than restate legal obligation6 and is
therefore, meaningless. A company does not have to disclose so much detail that it would
put at risk the personal information they are obliged to protect. However, responding to a
customer’s request about how their personal information is safeguarded should provide
sufficient detail to satisfy them that their information has in fact been protected by
safeguards that are appropriate to the sensitivity of the data.
6
“A common variation of the themes set out above is for companies to merely restate their legal
requirements under PIPEDA rather than explaining their own data management practices in detail.”
“Compliance with Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet
Policy and Public Interest Clinic (April 2006) at page 39.
©Symantec (Canada) Corp.
- 4. Page 4
Organizations would do well to be prepared for the receipt of the ‘nightmare access
letter7,’ from an irate consumer who knows a little too much about privacy and information
technology.
The following is an example of the access letter and is offered as a tool for C-level
executives on the forefront of dealing with privacy breach fallout. Of course, only a finding
from a privacy commissioner would determine whether this letter would have to be
answered if received by a company. It may be that some points may be considered as
asking for too much in an access request. I would suggest that this letter is premised upon
the principles set out above, and the right to be informed of personal information policies
and procedures.
In any case, a positive use of this letter for executives concerned about their privacy
policies would be to send it to their own organization, and treat it a real letter from a
customer. This would serve as a test of company’s compliance and security teams’
capability to respond to this type of request – a privacy ‘vulnerability’ test. This will provide
insight on not only the ability to answer privacy access requests, but also highlight
corporate data handling issues that can grow into privacy breaches.
The Nightmare Letter for Access
Dear Sir/Madam:
I am writing to you in your capacity as privacy officer for your company. I am a
customer of yours, and in light of recent events, I am making this request for access
to personal information pursuant to principles 1, 7, 8, 9 and 10 of Schedule 1 of the
7
Points 1 through 3 are based upon the template letter contained in the publication “Compliance with
Canadian Data Protection Laws: Are retailers measuring up?”, The Canadian Internet Policy and Public
Interest Clinic (April 2006) at page 67. The items contained in 4(a) are based upon the proposed format of
7
breach notification contained in “Approaches to Security Breach Notification: A White Paper”, The
Canadian Internet Policy and Public Interest Clinic (CIPPIC) (January 9, 2007), p 27.
©Symantec (Canada) Corp.
- 5. Page 5
Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). I
am very concerned that your company’s information practices may be putting my
personal information at undue risk of exposure or in fact has breached its
obligation to safeguard my personal information pursuant to principal 7. I would
like you to be aware at the outset, that I anticipate reply to my request within 30
days as required by s. 8(3) of PIPEDA, failing which I will be forwarding my inquiry
with a letter of complaint to the Federal Privacy Commissioner’s Office.
Please advise as to the following:
1. Please provide me with a copy of all specific personal information you have
about me in your files and databases. In particular, please tell me what you know
about me in your information systems, whether or not contained in databases, and
including e-mail, documents on your networks, or voice or other media that you
may store.
2. Please provide me with a detailed accounting of the specific uses that you
have made, are making, or will be making of this information.
3. Please provide a list of all companies with whom you have (or may have)
shared my information. If you cannot identify with certainty the specific companies
to whom you have disclosed my information, please provide a list of companies to
whom you may have disclosed information about me.
4. I would like to know whether or not my personal information has been
disclosed inadvertently by your company in the past, or as a result of a security or
privacy breach.
©Symantec (Canada) Corp.
- 6. Page 6
a. If so, please advise as to the following details of each and any such
breach:
i. a general description of what occurred;
ii. the date and time of the breach (or the best possible
estimate);
iii. the date and time the breach was discovered;
iv. the source of the breach (either your own organization, or a
third party to whom you have transferred my personal information);
v. details of my personal information that was disclosed;
vi. your company’s assessment of the risk of identity fraud to
myself, as a result of the breach;
vii. a description of the measures taken or that will be taken to
prevent further unauthorized access to my personal information;
viii. contact information for so that I can obtain more
information and assistance in relation to such a breach, and
ix. information and advice on what I can do to protect myself
against identity theft and fraud.
b. If you are not able to state with any certainty whether such an
exposure has taken place, through the use of appropriate technologies,
please advise what mitigating steps you have taken, such as:
i. Encryption of my personal information;
©Symantec (Canada) Corp.
- 7. Page 7
ii. Data minimization strategies; or,
iii. Any other means
c. Please advise if you have had any circumstances in which
employees or contractors have been dismissed, and/or been charged under
criminal laws for accessing my personal information inappropriately, or if
you are unable to determine this, of any customers, in the past twelve
months.
5. I would like to know your information policies and standards that you follow
in relation to the safeguarding of my personal information, such as whether you
adhere to ISO17799 for information security, and more particularly, your practices
in relation to the following:
a. Please inform me whether you have backed up my personal
information to tape or other media, and where it is stored and how it is
secured, including what steps you have taken to protect my personal
information from loss or theft, and whether this includes encryption.
b. Please also advise whether you have in place any technology which
allows you with reasonable certainty to know whether or not my personal
information has been disclosed, including but not limited to the following:
i. Intrusion detection systems;
ii. Firewall technologies;
iii. Access and identity management technologies;
iv. Database audit and/or security tools; or,
©Symantec (Canada) Corp.
- 8. Page 8
v. Behavioural analysis tools, log analysis tools, or audit tools;
c. Please also advise what technologies or business procedures you
have to ensure that individuals within your organization will be monitored
to ensure that they do not deliberately or inadvertently disclose personal
information outside your company, through e-mail, web mail or instant
messaging, or otherwise.
Yours Sincerely,
I. Rate
Symantec Solutions
What does this mean for your organization? Keep in mind that in order to address these
concerns, no software solution is by itself complete. The goal for implementing compliance
solutions is to understand the problem in the context of your business, to build the
appropriate foundations within the company to support a culture of compliance, and to
support these efforts with appropriate tools, such as set out below.
Implication Symantec’s Solution
1 Most organizations have a limited ability to find • Symantec Enterprise Vault
what they know about an individual. Information is
not often in structured databases; in fact the
majority of information today is in unstructured
forms such as e-mails, documents on file servers
and on individual machines, even in voice mail
systems.
2 Similarly, few organizations can actually know how • Symantec Bindview Policy
the personal information they collect is being used, Manager
or limit use to the terms on which it was collected –
based upon the consent of the individuals, and the
stated privacy policy at the time of collection.
3 Increasingly, organizations are relying on their • Symantec Control Compliance
contracts to impose standards – and audits – on Suite
their subcontractors, to ensure that they are doing • Symantec Enterprise Security
what they promise in terms of protecting client Manager
information. However, security is not equivalent to
privacy, and the uses of personal information
©Symantec (Canada) Corp.
- 9. Page 9
Implication Symantec’s Solution
remains an area of challenge.
4(a) As mentioned above, the challenge for many • Symantec Control Compliance
organizations is to simply know if they have had a Suite
security issue or not, and if they have, what exactly • Symantec Enterprise Security
has happened. Few have the tools to support this Manager
type of investigation, requiring considerable manual • Symantec Database Security and
effort from IT staff to support audits, and forensics Audit
to determine what has happened after a breach. • Symantec Security Information
Manager
4(b) It is also the case that many companies regard • Symantec Security Information
security as ending with a firewall, assuming that this Manager
will stop all threats. Effective security policy is built • Symantec Network Access Control
upon the assumption that someone will overcome • Symantec Sygate Enterprise
the first line of defence, or that the threat will come Protection
from within. • Symantec On Demand Protection
• Symantec Database Security and
Audit
4(c) Internal threats, rogue employees and criminal • Symantec Sygate Enterprise
organizations are part of the corporate landscape, Protection
and raises the question about the ability to detect • Symantec On Demand Protection
unusual access or behaviour within the organization. • Symantec Database Security and
Audit
5(a) Backups are particularly thorny – they are • Symantec Enterprise Vault
snapshots of the organization as a whole, taken o Compliance Accelerator
repeatedly on a daily, weekly and/or monthly basis. o Discovery Accelerator
There are major issues with the management of
tapes , their storage and handling, and the ability of
organizations to find personal information relevant
to a single individual, somewhere in that massive
realm of tapes. Use of backups in this fashion is
inappropriate;
5(b) Establishing controls over information technology • Symantec Control Compliance
has become increasingly important in the area of Suite
SOX/Bill 198 compliance, but is only slowly • Symantec Enterprise Security
becoming an area of privacy compliance. Payment Manager
Card Industry Data Security Standards (PCI-DSS) is • Symantec Database Security and
imposing new requirements for protecting credit Audit
card data, which will impact privacy protection.
However, today few organizations have the tools
required to know they have been compromised.
5(c) Content control is something few organizations have • Symantec Mail Security
in place, despite the fact that e-mail is the most • Symantec Enterprise Vault
common medium for communication today, and the o Compliance Accelerator
sheer number of e-mail messages mandates some
form of automation to gain effective control.
Next time: The Nightmare Letter Part II – “Now, please get rid of my personal information.”
©Symantec (Canada) Corp.