With no global standard for data privacy, laws outside U.S. differ in scope

Europe, Canada rules put premium on personal privacy, play catch-up on data-breach notification

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As a part­ner at the Cana­di­an law firm Bor­den Lad­ner Ger­vais, Éloïse Grat­ton advis­es her clients on legal, prac­ti­cal and eth­i­cal ways to pro­tect an individual’s pri­va­cy while con­duct­ing busi­ness nation­al­ly and inter­na­tion­al­ly. She has tes­ti­fied before Canada’s House of Com­mons and oth­er fed­er­al bod­ies and con­duct­ed train­ing work­shops attend­ed by judges and mem­bers of the Parliament.

Third­Cer­tain­ty sat down with Grat­ton just after she appeared on a pri­va­cy pan­el at CyberScout’s Pri­va­cy XChange Forum. Here’s the gist of that con­ver­sa­tion. The text has been edit­ed for clar­i­ty and length. (Full dis­clo­sure: Cyber­Scout spon­sors ThirdCertainty.com.)

Third­Cer­tain­ty: Europe and Cana­da are ori­ent­ed toward pre­serv­ing pri­va­cy for the indi­vid­ual; in Amer­i­ca, not so much. Can you frame how that plays out in glob­al commerce?

eloise-gratton-8_400Grat­ton: I would say in Europe and in Cana­da, we’ve been a lit­tle bit ahead on the data-pro­tec­tion front, so we prob­a­bly have laws that are a lit­tle bit more strin­gent. Yet we’re a lit­tle behind on every­thing that has to do with secu­ri­ty-breach noti­fi­ca­tion. In the States, it has been manda­to­ry for quite some time. In Europe, it will be manda­to­ry with the upcom­ing Gen­er­al Data Pro­tec­tion Reg­u­la­tion in May 2018.

Relat­ed video: How ‘Pri­va­cy Shield’ came about

In Cana­da, there’s one province where, if the breach trig­gers sig­nif­i­cant harm for the affect­ed indi­vid­u­als, it’s manda­to­ry to noti­fy. So in Alber­ta, that has been a legal require­ment since 2009. In com­ing months, this will also become a fed­er­al legal require­ment to noti­fy upon a secu­ri­ty breach tak­ing place. So we’re fol­low­ing the U.S. on this issue.

Third­Cer­tain­ty: Cyber threats con­tin­ue to evolve so rapid­ly; can reg­u­la­tors keep up?

Grat­ton: Yes, the threat is evolv­ing, so at the end of the day, orga­ni­za­tions need to ensure that they are ready for the new threats. We’ve seen it recent­ly in Cana­da with the Ash­ley Madi­son hack. So you have to have a breach-inci­dence response plan and make sure employ­ees are trained, so that they’ll know exact­ly what to do. Upon a breach tak­ing place, pri­va­cy reg­u­la­tors in Cana­da will look at (a few) things. They’ll look to see that the com­pa­ny had the prop­er gov­er­nance struc­ture. Did they have prop­er poli­cies? Did they have a breach response plan? Did they have the prop­er con­trac­tu­al pro­vi­sions when they out­sourced some of their ser­vices, such as to a cloud ser­vice provider? And they’ll look at the tech­no­log­i­cal com­po­nent. Was the com­pa­ny using state-of-the-art encryp­tion and tech­nol­o­gy tools?

Third­Cer­tain­ty: What did we learn from the Ash­ley Madi­son hack?

eloise-gratton-7_400Grat­ton: Ash­ley Madi­son is a web­site for indi­vid­u­als who are mar­ried and want to have extra­mar­i­tal affairs, so it’s very sen­si­tive infor­ma­tion. If you sign up for these ser­vices, you cer­tain­ly don’t expect your con­tact infor­ma­tion to be made avail­able. So the Ash­ley Madi­son web­site was hacked, and then, it was a form of extor­tion. The hack­ers said, ‘Change some of your ser­vices, oth­er­wise we’ll expose the iden­ti­ties of all your users.’ In the end, they did just that, so all the users were exposed. There were a lot of lessons rel­e­vant for any busi­ness that has oper­a­tions in Canada.

Third­Cer­tain­ty: In terms of tak­ing care of sen­si­tive data?

Grat­ton: Absolute­ly. For instance, (pri­va­cy reg­u­la­tors) felt the com­pa­ny did not have prop­er tech­nol­o­gy tools to avoid a hack­ing, and they did not have the prop­er poli­cies. More­over, they had an issue with the fact that the com­pa­ny was using some form of secu­ri­ty seal on their web­site, so that users felt real­ly con­fi­dent sign­ing up. At the end of the day, this seal was mean­ing­less. So they felt it was mis­lead­ing users and prob­a­bly affect­ing con­sent of peo­ple sign­ing up on the site.

It was a joint inves­ti­ga­tion involv­ing the Cana­di­an pri­va­cy com­mis­sion­er and the Aus­tralian pri­va­cy com­mis­sion­er. Anoth­er con­cern was the fact that the web­site was charg­ing users to have their account infor­ma­tion delet­ed, so they said, ‘Well, if you do that, it has to reflect your own cost as an orga­ni­za­tion. It has to be rea­son­able, and you need to let peo­ple know ahead of time. This will cost you X amount of dollars.’

Third­Cer­tain­ty: It seems like reg­u­la­tions lag behind the pace of inno­va­tion in the marketplace.

Grat­ton: Def­i­nite­ly. Pri­va­cy laws and data-pro­tec­tion laws will always be tech­nol­o­gy neu­tral. At the end of the day, it’s up to the orga­ni­za­tion to make an assess­ment of the type of infor­ma­tion they col­lect, of the risks and the type of mea­sures that that they should be imple­ment­ing to make sure they pro­tect the data they’re managing.

Third­Cer­tain­ty: So what gen­er­al guid­ance do you give to your clients?

eloise-gratton-1_400Grat­ton: Be pro-active, and def­i­nite­ly fol­low the type of guid­ance that is issued by pri­va­cy com­mis­sion­ers fol­low­ing secu­ri­ty inci­dents. So once there’s a com­plaint or there’s a secu­ri­ty inci­dent, pri­va­cy reg­u­la­tors will inves­ti­gate and issue guid­ance, such as the inves­ti­ga­tion report that was issued in the Ash­ley Madi­son case. Oth­er com­pa­nies should now know, ‘OK, we can’t charge to have an account delet­ed, or if we do so, we have to inform users or cus­tomers ahead of time. We shouldn’t keep data for too long, we shouldn’t put fake secu­ri­ty seals on our websites.’

Third­Cer­tain­ty: If I’m a com­pa­ny that hasn’t been pay­ing close atten­tion to pri­va­cy, where can I start?

Grat­ton: Make sure that you’re using prop­er, state-of-the-art tech­nol­o­gy, includ­ing encryp­tion, when you’re trans­mit­ting and stor­ing infor­ma­tion. Make sure that you have the right gov­er­nance frame­work in place, all the prop­er polices. In some cas­es, it would make sense to have a pri­va­cy pol­i­cy, a breach-response pol­i­cy, and a data-reten­tion pol­i­cy, depend­ing on your exact busi­ness model.

And anoth­er thing to keep in mind is you have to make sure your employ­ees are aware of these poli­cies and that they are prop­er­ly trained. If there is a secu­ri­ty breach, pri­va­cy reg­u­la­tors will look for that. They’ll look to see if the employ­ees were aware of the poli­cies of the orga­ni­za­tion and that they received prop­er training.

Read more sto­ries relat­ed to data privacy:
Con­sumers becom­ing more pro­tec­tive of their privacy
Fair or foul? New foren­sics tools raise pri­va­cy concerns
15 mil­lion rea­sons to have a web­site pri­va­cy notice
Dev­il is in the details for Canada’s data breach dis­clo­sure law