Privacy Commissioners, rightfully, seem more incensed than ever when yet another loss of personal information occurs. Whether it's a server breach from poor firewalling or a lost laptop with unencrypted data, they know the technology is readily available to prevent the breach or make the loss of a device irrelevant. Combine that with Canada's inadequate privacy protection legislation they have to work with to protect individuals from the irresponsible handling of personal information, and it must be frustrating.
PII (Personally Identifiable Information) is valuable to cybercriminals. The Internet enables a great variety of profitable criminal activities so PII, fresh PII, is worth a lot. So much of it now resides in black-market websites the per record price has fallen, but new financial or health record profiles still command a lucrative price.
Let's say a USB stick is lost containing 20,000 records with financial details of individuals including name, address, bank account information, social insurance and driver's license numbers. A bargain price for those profiles on the Internet black-market would be $10 a record. It's basically a $200,000 memory stick for the thief that gets his hands on it. It's worth every penny in the years to come to the criminals who buy those stolen records because millions could be bilked from the bank accounts and credit cards of individuals those records involve.
So the stakes are high. Consequently, the privacy commissioners hammer down hard on those high profile losses when thousands of records go missing. They want disclosure of the incident and protection for the individuals. The media piles on, always on the hunt for the details, to splay the true extent of the incident for their readers.
But the disclosure of certain details and the sensationalizing of them can possibly ensure just the kind of damage to individuals the privacy commissioners wish to avoid.
Let me explain.
Limiting the publication of certain details, when for example a device is lost or stolen, is critical in protecting the interests of the potentially affected individuals. In the recent loss of a laptop containing financial profiles, while the device was still unrecovered, the media was reporting the device type, details about the nature, quality and number of records it contained, and the specific geographic area in which it was lost. It made for one very hot, sought-after property in criminal circles.
If it was not a targeted theft, just a misplaced device or in the hands of a petty thief simply interested in the device itself, as the majority of lost or stolen devices are, publishing the details no doubt set-off a criminal treasure hunt. The forums where these things are bartered and sold, as well as Kijiji and eBay, must have been lit up that week.
Organizations that carefully and thoughtfully release only need to know details are right to do so. Until the status of the device or evidence the data it contained has been breached, and until the proper advice to the affected individuals and protection for them is in place, controlling the availability of certain details is important.
Savvy privacy commissioners know this. But not all. And organizations that withhold advising the commissioners promptly really annoy the commissioners, then everyone is off on a bad foot. Both of these reasons are why, in this new and complex digital age, once a breach or loss is discovered it is well-advised to work with qualified counsel and notify as soon as possible. In every event, though, all parties need to think hard about what they are saying and when, lest a potentially bad situation is driven to a genuinely bad situation, on the back of the details made available.
Don't get me wrong. I think every jurisdiction should have a law that requires the reporting of the loss of PII in virtually every instance and especially require prompt advice to the affected individuals to allow them to protect themselves as soon as possible. Bill C-12, an update to our Federal Personal Information Protection and Electronic Documents Act that underwent first reading in 2011 and now seems lost in process, does only a little to change that, if it passes. But individuals do have a right to know when their personal information has been mismanaged, as soon as possible, to protect themselves.
If advice to the affected individuals can only be done through the media due to the size of the breach, so be it. But the trade-off in alerting the criminal elements to a device or cache of data that may or may not be in their hands needs to be carefully considered.
In some jurisdictions, Ontario for example, a strong encryption standard exists that allows an organization to skip the whole public flogging and notification process if the device was properly secured and encrypted. It is a tough standard to meet and basically creates military-grade security on the device. Given the strength of encryption algorithms today, when professionally applied there is only a negligible chance that data could ultimately be read, even though in the case of a lost device it is out of the control of the custodian of the data.
Class action lawsuits from the loss of data through poorly managed endpoint devices are surfacing, most recently against an Ottawa-area hospital. My guess is that while the plaintiffs may not have to prove actual damages to get a payout, the court will have to consider the true potential for damage given the uncertainty of whether the device fell into nefarious hands or was just kicked down a sewer. Beyond that, I think on this scale, in this digital age, a court would award very little for the anxiety aspect. But then again, this all goes to prove that protecting yourself from data loss and managing any data loss event carefully is an issue with potentially major impact on your business, rather than just a regulatory requirement.