Spotlight On… Protection of Sensitive Data Including Personal Information
Total Page:16
File Type:pdf, Size:1020Kb
Spotlight On… Protection of Sensitive Data including Personal Information Purpose On Sept. 7, 2017 media reports indicated that a large American credit score bureau had been breached, exposing the personal information of millions of consumers in the U.S. and in the U.K. and potentially affecting 8,000 individuals in Canada. On November 28, 2017 the Canadian arm of this U.S. company posted information on its website indicating that an additional 11,670 Canadians had been affected by the breach, bringing the total number of Canadians affected to about 19,000. In response to CCIRC partner questions concerning this event, this product provides information on what organizations can do to reduce the risk of sensitive data, such as personal information, being exfiltrated from their organization. Information in this note includes: . The Canadian statutory definitions of personal information . Upcoming regulatory changes to data breach reporting in Canada . Examples of reported breaches of Canadian personal information . Tactics, techniques, and procedures employed to target Canadian personal information . Tips for safeguarding sensitive information . Advice from the Royal Canadian Mounted Police (RCMP) for individuals who believe their personal information may have been compromised What is “Personal Information”? According to the Office of the Privacy Commissioner of Canada (OPC), these are the statutory provisions relevant to the meaning of “Personal Information” in Canada: Section 2(1) of the Personal Information Protection and Electronic Documents Act (2000, c. 5) (PIPEDA) states that “personal information” means “information about an identifiable individual.” Section 4(1) provides that PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities” or “is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.” TLP GREEN PUBLIC SAFETY CANADA Given the statutory requirements to protect “information about an identifiable individual,” in your organization where is such information stored, and what internal technical, policy, training, and labelling measures are in place to protect it? Forthcoming changes in Canada to the requirements for data breach reporting Going forward, there are no indications that the personal information such as was exfiltrated from this U.S. Credit Score Bureau is becoming any less of an attractive target for threat actors. There are also forthcoming changes in the regulatory landscape in Canada that will make it mandatory for some organizations to keep a record of breaches involving personal information and to provide a copy to the Office of the Privacy Commissioner upon request. When these changes are enacted, organizations that knowingly fail to report to the Office of the Privacy Commissioner or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches, could face fines of up to $100,000. In Canada, “The Digital Privacy Act” (formerly known as Bill S-4), received Royal Assent in June 2015, resulting in a number of significant amendments to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). While many amendments came into force upon Royal Assent, those relating to “breaches of security safeguards” will only come into force following associated regulations being developed and put into place by the federal government. The concept of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft, among others. Factors that organizations will need to consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused (or any other prescribed factor). Examples of reported breaches of Canadian Personal Information Theft of personal information is happening in Canada. In September 2017 a Canadian transportation company reported a breach of customer data for the period of Jan. 2, 2017 to March 19, 2017. The company said its investigation determined a subcontractor of one of its suppliers inadvertently made some customer lists available on the Internet while performing a series of tests. According to the company, the exposed lists contained customers' names, postal codes, email addresses and travel details. Also in September, a Canadian news and entertainment website said some of its databases containing the personal information of about one million users from 1996 to 2008 had been compromised. Tactics, techniques, and procedures employed to target Canadian Personal Information In a speech on “Causes of Breaches and Breach Prevention Recommendations” at a Cyber Summit in October 2016, Alberta’s privacy commissioner observed (based on mandatory breach reporting requirements in her province) that her office had seen an “increase in breaches that result from hacking, malware or phishing.” In several cases reported to her office “hackers 2 TLP GREEN PUBLIC SAFETY CANADA installed malware on organizations’ websites or gained unauthorized access to customer databases, specifically targeting financial and credit card information of customers.” She said her office had also “seen an increase in another cybersecurity threat which involves unauthorized individuals posing as a CEO or other senior executive asking HR personnel or another administrator within the organization to send highly sensitive personal information in, for example, a spreadsheet.” In one case reported to her office she said “the membership list of an association was sent to an unauthorized individual.” Tips to protect sensitive data such as Personal Information On their website, the Office of the Privacy Commissioner of Canada (OPC) provides “Tips for Reducing the Likelihood of a Privacy Breach.” These include: Know what personal information you have, where it is, and what you are doing with it. Data inventories and process maps will help ensure you know exactly what personal information you need to protect, as well as when and where you need to protect it. Know your vulnerabilities Conduct risk and vulnerability assessments and/or penetration tests. Know your industry Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Encrypt laptops, USB keys and other portable media. Organizations often focus on privacy breaches caused by hackers, but this ignores some key threats. Limit the personal information you collect, as well as what you retain You should know not only why you are collecting each piece of personal information, but why you are keeping it. For further tips, please see the article “Ten Tips for Reducing the Likelihood of a Privacy Breach” on the OPC website. With respect to the federal government, the Communications Security Establishment (CSE), working with the Treasury Board Secretariat (TBS) Chief Information Officer Branch, defines IT security standards, practices and technical guidance that should be used by IT security practitioners. For the standards promoted by CSE for the protection of “protected B” information on Government of Canada systems, including records labelled as “Personal Information,” see Communications Security Establishment – “Annex 4A - Profile 1 - (PROTECTED B / Medium Integrity / Medium Availability)” in Information Technology Security Guidance Publication 33 (ITSG-33), IT Security Risk Management: A Lifecycle Approach. 3 TLP GREEN PUBLIC SAFETY CANADA For more information on protecting personal information on your systems, see the section on “Data Security” in Public Safety Canada’s Get Cyber Safe Guide for Small and Medium Businesses https://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx%20-%20s6-2#s6-2 Advice from the RCMP for individuals who believe their Personal Information may have been compromised For those who believe their personal information may have been compromised, the RCMP recommends: Be wary of unsolicited emails, phone calls or mail asking for personal or financial information. Victims of the recent breach should place alerts with all credit bureaus. Stay current. Check your bank and credit card statements monthly and report any suspicious activity. Report any missing mail or statements right away. Shred all personal and financial documents. Obtain a credit report once a year for free through the two credit bureaus, Equifax and TransUnion. For further information on identity theft and identity fraud, see “Identity Theft and Identity Fraud” on the RCMP website. Businesses and individuals should be aware that exfiltrated personal information can be used as part of attempted phishing events. For advice on this and other cyber security considerations arising from breached personal information, see the advice given by the United Kingdom’s National Cyber Security Centre (NCSC) “Statement on the Equifax cyber incident.” References: Office of the Privacy Commissioner of Canada “Personal Information” https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information- protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation- bulletins/interpretations_02/