Spotlight On… Protection of Sensitive Data including Personal Information
Purpose
On Sept. 7, 2017 media reports indicated that a large American credit score bureau had been breached, exposing the personal information of millions of consumers in the U.S. and in the U.K. and potentially affecting 8,000 individuals in Canada. On November 28, 2017 the Canadian arm of this U.S. company posted information on its website indicating that an additional 11,670 Canadians had been affected by the breach, bringing the total number of Canadians affected to about 19,000.
In response to CCIRC partner questions concerning this event, this product provides information on what organizations can do to reduce the risk of sensitive data, such as personal information, being exfiltrated from their organization. Information in this note includes:
. The Canadian statutory definitions of personal information . Upcoming regulatory changes to data breach reporting in Canada . Examples of reported breaches of Canadian personal information . Tactics, techniques, and procedures employed to target Canadian personal information . Tips for safeguarding sensitive information . Advice from the Royal Canadian Mounted Police (RCMP) for individuals who believe their personal information may have been compromised
What is “Personal Information”?
According to the Office of the Privacy Commissioner of Canada (OPC), these are the statutory provisions relevant to the meaning of “Personal Information” in Canada: Section 2(1) of the Personal Information Protection and Electronic Documents Act (2000, c. 5) (PIPEDA) states that “personal information” means “information about an identifiable individual.” Section 4(1) provides that PIPEDA applies to every organization in respect of personal information that the organization “collects, uses or discloses in the course of commercial activities” or “is about an employee of, or an applicant for employment with, the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.”
TLP GREEN
PUBLIC SAFETY CANADA
Given the statutory requirements to protect “information about an identifiable individual,” in your organization where is such information stored, and what internal technical, policy, training, and labelling measures are in place to protect it?
Forthcoming changes in Canada to the requirements for data breach reporting
Going forward, there are no indications that the personal information such as was exfiltrated from this U.S. Credit Score Bureau is becoming any less of an attractive target for threat actors. There are also forthcoming changes in the regulatory landscape in Canada that will make it mandatory for some organizations to keep a record of breaches involving personal information and to provide a copy to the Office of the Privacy Commissioner upon request. When these changes are enacted, organizations that knowingly fail to report to the Office of the Privacy Commissioner or notify affected individuals of a breach that poses a real risk of significant harm, or knowingly fail to maintain a record of all breaches, could face fines of up to $100,000.
In Canada, “The Digital Privacy Act” (formerly known as Bill S-4), received Royal Assent in June 2015, resulting in a number of significant amendments to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). While many amendments came into force upon Royal Assent, those relating to “breaches of security safeguards” will only come into force following associated regulations being developed and put into place by the federal government.
The concept of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft, among others. Factors that organizations will need to consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused (or any other prescribed factor).
Examples of reported breaches of Canadian Personal Information
Theft of personal information is happening in Canada. In September 2017 a Canadian transportation company reported a breach of customer data for the period of Jan. 2, 2017 to March 19, 2017. The company said its investigation determined a subcontractor of one of its suppliers inadvertently made some customer lists available on the Internet while performing a series of tests. According to the company, the exposed lists contained customers' names, postal codes, email addresses and travel details. Also in September, a Canadian news and entertainment website said some of its databases containing the personal information of about one million users from 1996 to 2008 had been compromised.
Tactics, techniques, and procedures employed to target Canadian Personal Information
In a speech on “Causes of Breaches and Breach Prevention Recommendations” at a Cyber Summit in October 2016, Alberta’s privacy commissioner observed (based on mandatory breach reporting requirements in her province) that her office had seen an “increase in breaches that result from hacking, malware or phishing.” In several cases reported to her office “hackers
2 TLP GREEN
PUBLIC SAFETY CANADA
installed malware on organizations’ websites or gained unauthorized access to customer databases, specifically targeting financial and credit card information of customers.”
She said her office had also “seen an increase in another cybersecurity threat which involves unauthorized individuals posing as a CEO or other senior executive asking HR personnel or another administrator within the organization to send highly sensitive personal information in, for example, a spreadsheet.” In one case reported to her office she said “the membership list of an association was sent to an unauthorized individual.”
Tips to protect sensitive data such as Personal Information
On their website, the Office of the Privacy Commissioner of Canada (OPC) provides “Tips for Reducing the Likelihood of a Privacy Breach.” These include:
Know what personal information you have, where it is, and what you are doing with it. Data inventories and process maps will help ensure you know exactly what personal information you need to protect, as well as when and where you need to protect it.
Know your vulnerabilities Conduct risk and vulnerability assessments and/or penetration tests.
Know your industry Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations.
Encrypt laptops, USB keys and other portable media. Organizations often focus on privacy breaches caused by hackers, but this ignores some key threats.
Limit the personal information you collect, as well as what you retain You should know not only why you are collecting each piece of personal information, but why you are keeping it.
For further tips, please see the article “Ten Tips for Reducing the Likelihood of a Privacy Breach” on the OPC website.
With respect to the federal government, the Communications Security Establishment (CSE), working with the Treasury Board Secretariat (TBS) Chief Information Officer Branch, defines IT security standards, practices and technical guidance that should be used by IT security practitioners. For the standards promoted by CSE for the protection of “protected B” information on Government of Canada systems, including records labelled as “Personal Information,” see Communications Security Establishment – “Annex 4A - Profile 1 - (PROTECTED B / Medium Integrity / Medium Availability)” in Information Technology Security Guidance Publication 33 (ITSG-33), IT Security Risk Management: A Lifecycle Approach.
3 TLP GREEN
PUBLIC SAFETY CANADA
For more information on protecting personal information on your systems, see the section on “Data Security” in Public Safety Canada’s Get Cyber Safe Guide for Small and Medium Businesses https://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx%20-%20s6-2#s6-2
Advice from the RCMP for individuals who believe their Personal Information may have been compromised For those who believe their personal information may have been compromised, the RCMP recommends:
Be wary of unsolicited emails, phone calls or mail asking for personal or financial information. Victims of the recent breach should place alerts with all credit bureaus. Stay current. Check your bank and credit card statements monthly and report any suspicious activity. Report any missing mail or statements right away. Shred all personal and financial documents. Obtain a credit report once a year for free through the two credit bureaus, Equifax and TransUnion.
For further information on identity theft and identity fraud, see “Identity Theft and Identity Fraud” on the RCMP website. Businesses and individuals should be aware that exfiltrated personal information can be used as part of attempted phishing events. For advice on this and other cyber security considerations arising from breached personal information, see the advice given by the United Kingdom’s National Cyber Security Centre (NCSC) “Statement on the Equifax cyber incident.”
References:
Office of the Privacy Commissioner of Canada “Personal Information” https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information- protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation- bulletins/interpretations_02/
Office of the Privacy Commissioner of Canada “The Digital Privacy Act and PIPEDA” https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information- protection-and-electronic-documents-act-pipeda/legislation-related-to-pipeda/02_05_d_63_s4/
“Cybersecurity from a Privacy Regulator’s Perspective” - Jill Clayton, Information and Privacy Commissioner, Keynote Presentation at the 2016 Cyber Summit hosted by Cybera (October 27, 2016 Banff, Alberta) https://www.oipc.ab.ca/resources/subjects/breaches.aspx
Office of the Privacy Commissioner of Canada “Ten Tips for Reducing the Likelihood of a Privacy Breach” https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/02_05_d_60_tips/
4 TLP GREEN
PUBLIC SAFETY CANADA
Communications Security Establishment - Annex 4A - Profile 1 - (PROTECTED B / Medium Integrity / Medium Availability) in Information Technology Security Guidance Publication 33 (ITSG-33), IT Security Risk Management: A Lifecycle Approach. https://www.cse-cst.gc.ca/en/node/265/html/25842
Public Safety Canada “Data Security” in Get Cyber Safe Guide for Small and Medium Businesses https://www.getcybersafe.gc.ca/cnt/rsrcs/pblctns/smll-bsnss-gd/index-en.aspx%20-%20s6-2#s6-2
RCMP “Identity Theft and Identity Fraud” http://www.rcmp-grc.gc.ca/scams-fraudes/id-theft-vol-eng.htm
NCSC “Statement on the Equifax cyber incident” https://www.ncsc.gov.uk/news/statement-equifax-cyber-incident
FEEDBACK As an important partner, it is our hope that this publication may be useful to you and your organization. We would appreciate any feedback or questions you may have on this publication, which should be provided to [email protected].
DISCLAIMER
Produced by Public Safety Canada’s Canadian Cyber Incident Response Centre (CCIRC), this report is UNCLASSIFIED, Traffic Light Protocol GREEN, and the property of the Government of Canada. As such, this report may be shared within the cyber security, information assurance, and critical infrastructure communities at large, but may neither be published, in part or in whole, nor posted on the web.
MANDATE
In support of Public Safety Canada’s mission to build a safe and resilient Canada, CCIRC contributes to the security and resilience of the vital cyber systems that underpin Canada’s national security, public safety and economic prosperity.
As Canada’s computer security incident response team, CCIRC is Canada’s national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber events. It does this by providing authoritative advice and support, and coordinating information sharing and event response.
REPORTING CYBER INCIDENTS
Recognizing that cyber security is a shared responsibility that is underpinned by two-way information sharing, Canadian critical infrastructure operators are encouraged to partner with and report cyber incidents to CCIRC at [email protected] using the CCIRC Cyber Duty Officer PGP encryption key. Canadian critical infrastructure operators are encouraged to partner with and report cyber incidents to CCIRC at [email protected] using the CCIRC Cyber Duty Officer PGP encryption key Canadian critical infrastructure operators are encouraged to partner with and report cyber incidents to CCIRC at [email protected] using the CCIRC Cyber Duty Officer PGP encryption key.t- [email protected] using the CCIRC Cyber Duty Officer
5 TLP GREEN