Privacy legislation in Canada, the U.S. and the EU can get a little confusing. Consider this alphabet soup: PIPEDA. PIPA. HIPA. GLBA.
Organizations need to protect their personal data or face ramifications, the worst of which is loss of customer confidence. But many are unaware of where breaches
are taking place and how they can meet the many requirements imposed on them by securities commissions.
In some cases, organizations are turning to outsourcers or service providers to help them comply with privacy legislation. It’s an area where resellers could offer value-add to their clients.
The American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) teamed up to establish an Enterprise-Wide Privacy Task Force to assist organizations in managing privacy risk. Last year, they introduced a Privacy Framework for protecting personal information; it incorporates concepts from domestic and international privacy laws, regulations and guidelines.
“”It’s global, it’s not something the Canadian government is trying to force on us,”” says Robert Parker, a partner with Deloitte Canada’s Enterprise Risk Services Group. “”In fact, we’re probably a little behind the global community right now.””
The problem is there hasn’t been a compelling event for action in Canada — yet — to put privacy at the forefront of people’s minds. “”Secondly, there are not a lot of penalties under the Canadian legislation,”” says Parker. “”It does not have a lot of enforcement mechanisms.””
In Ontario, for example, the province is covered by the federal private sector privacy legislation — PIPEDA, or the Personal Information Protection and Electronic Documents Act — and its own public sector privacy legislation. (Each province is different, which is why it’s so confusing.) The Information and Privacy Commissioner of Ontario has the authority to order government organizations to stop the collection of personal information, says Bob Spence, communications co-ordinator for the Office of the Information and Privacy Commis-sioner of Ontario. However, if a breach has already occurred, not much can be done except for recommendations on changes in process.
But rather than legislation and enforcement, Parker says the desirable position would be to have organizations recognize that the landscape has changed and move to fair information practices.
“”You must collect [information] in a fair and lawful manner, you must tell people what you’re going to do with it, you must offer them the option to opt out, and so forth,”” he says.
“”If businesses were to take a fair information practices approach and say this is important to differentiate my organization from other organizations because we care about an individual’s personal information, that would probably be preferable than developing a bureaucracy to go around and try to hunt them down and punish them.””
In 1995, the EU passed Directive 9546, which gave every European country three years to implement privacy legislation that met or exceeded that standard. In 2000, the U.S. entered a safe harbour agreement with the EU, and in 2002, the Privacy Protection Act was passed.
The U.S. also has HIPA (the Health Information Protection Act), GLBA (the Gramm-Leach-Bliley Act), which focuses on privacy of financial information, and Sarbanes-Oxley, which focuses on accountability of transactions.
In 2003, California enacted Senate Bill 1386, “”which really ramped up privacy with identity theft overtones,”” says Parker. The U.S. now has about 4,000 pieces of legislation with privacy components, which can have implications for Canadian companies doing business with the U.S., are subsidiaries of American companies or are listed on an American stock exchange.
In Canada, Bill C-6, which put privacy legislation and electronic document legislation together into PIPEDA, took effect for some organizations in January 2001.
But many aren’t aware of the details of the legislation or even how they’re breaching that legislation. Ottawa-based Coast Software provides compliance management tools that allow organizations to monitor their online properties, analyze them and start managing compliance breaches as well as unstructured data.
“”Unstructured data comprises 90 per cent of all data in an organization today,”” says Paul Saunders, president and CEO of Coast Software.
“”In an average large-size organization, they generate over 300,000 documents per month — and that unstructured data is doubling every two months.””
And many of them don’t know where all their online properties are. “”They don’t have a good inventory of it and they certainly don’t have an inventory of the content on those online properties,”” he says. “”What happens is, in many respects, they are breaching data security regulations they have internally to the organization and external legislation and compliance standards that have been established in both the privacy and data security world.””
His company’s technology will harvest this information, apply compliance rules to unstructured data, report on any breaches, assign priorities to those breaches and manage them to resolution.
“”Executives are now responsible for compliance,”” he says. “”Not being aware of breaches for regulatory compliance or internal compliance is not good enough anymore, it’s not a good defense if they’re being litigated.””
What is a good defense, he says, is if they say they’ve taken positive steps to start understanding all of the data in the organization and ensuring that data is compliant with regulatory standards.
As data moves increasingly through the air, organizations are facing problems with privacy compliance on wireless devices as well.
Toronto-based Diversinet Corp. is a service provider of authentication services for the mobile world. Stuart Vaeth, its chief security officer, noted that wireless devices are becoming smarter and more capable of doing financial transactions and storing private data. But there are few standards for these devices, most of which are proprietary and device-specific.
With identity theft and phishing attacks on the rise, authentication is becoming a critical issue, he adds.
“”[Organizations] are having enough of a challenge coming up with and administering policies for devices that they’re issuing,”” he says. “”Dealing with employee-owned devices is becoming a big issue.””
He says companies need to conduct asset management and then configuration management of those devices. This means, as employees use those devices to download corporate information, the company is extending its policies for data protection into the wireless world.
“”But putting those policies into practice is another matter,”” he says. “”You have to look at products and technology from vendors that solve that, [but] unless you can control the numbers and variations of devices your employees are using, that becomes a very difficult challenge.””
He says an organization’s policies and procedures need to come from its requirements, what threats it’s concerned with and what regulations it’s meeting.
Some companies are turning to outsourcers or service providers, like Diversinet, to make sure they have technology in plac