The pace of technology continues to move faster and faster. A year ago, wearable devices, such as fitness monitors and smart watches, were something only a few hard core technophiles had. Now, they are everywhere. Similarly, 3-D printers, that can create three-dimensional items seeming from thin air, were, until a year ago, restricted to high-end manufacturing, but can now be purchased for home use, and are available for rent at many public libraries.
Changes in the law associated with these technologies is not moving as fast, but it is changing nonetheless. According to an article in Forbes, a defense lawyer in a personal injury matter in Calgary has said he will use the data from a Fitbit fitness monitoring device to show evidence of injury to his client.
3-D printing and copyright infringement made headlines recently, when the plans to produce a doll of Katie Perry’s now famous Superbowl Left Shark became available on Shapeways, a website where 3-D printer plans can be purchased. Ms. Perry’s lawyers immediately sent a cease and desist letter to Shapeways. Shapeways cancelled orders and refunded customers. However, the artist who created the plans intends to fight.
New and developing technologies will continue to offer lawyers novel ways to present their cases. It remains to be seen how these new technologies will be treated by courts and tribunals. These and other related issues will make for some interesting debates.
With more and more reports of alarming data breaches such as the one reported by Computer security firm Kaspersky Lab on the weekend, the connection between cybersecurity and privacy can no longer be ignored. As reported in BBC News on February 15, 2014, Kaspersky Lab reported that up to 100 banks and financial institutions worldwide (including Canada) have been attacked in an “unprecedented cyber robbery” (http://www.bbc.com/news/business-31482985). According to the report, an estimated $1bn (£648m) has been stolen in the attacks, starting in 2013 and the attacks are still ongoing.
Last week, the Office of the Privacy Commissioner of Canada released its report Privacy and Cyber Security – Emphasizing privacy protection in cyber security activities that recognizes the threat to privacy posed by cyber breaches and describes policy directions to generate dialogue about cybersecurity as a key element of protecting privacy online.
The OPC report states that: “As cyber security policy directions develop, privacy and data protection authorities have a role to play to reinforce privacy values to ensure that cyber security policy respects privacy rights, and prioritizes personal information protection”. The report encourages organizations to build privacy values into cybersecurity policy directions and says that the importance of “privacy, trust and responsible data stewardship” should be acknowledged in the broader cybersecurity dialogue.
Are Canadians taking notice? It appears they are. Privacy and protection of their personal information is becoming more important to Canadians. A recent survey by the Canadian Privacy Commissioner revealed that people are becoming more aware of how their personal information is being secured.
Over three-quarters of those surveyed said they were concerned about how their personal information online was being used by the government, while about 50% said they did not have a good understanding of what business and government departments actually do with their personal information. Almost 30% said their personal information had been breached.
The good news is that this increased awareness is resulting in better practices. A majority of people now use passwords on their smartphones, adjust privacy settings in online applications such as Facebook, turn off locations services so that their movements are not tracked, and are less likely, or at least question, sharing personal information with organizations.
On the business side, over 80% of people said they would be more likely to choose to do business with a company that has a good data security record.
Privacy Commissioner Therrien commented about these results, saying “businesses should be more upfront and clear about their privacy practices – and not bury that information in long, legalistic privacy policies. And government departments and agencies need to respond to Canadians’ expectation that they be transparent about how they collect and use personal information.”
Wortzmans believes that on the business side, organizations need to approach cybersecurity and privacy protection with a more holistic approach. These are not only issues to be left with IT or Legal to resolve in isolation. A collaboration of IT, legal, risk, HR and compliance expertise should all contribute to develop a proactive cybersecurity plan for an organization or government entity.
Privacy breaches involving personal information are becoming more common in both Canada and the United States.
The U.S. President recently proposed legislative changes addressing cybersecurity and information sharing. One aspect of the proposed US legislation, the Personal Data Notification & Protection Act, will create a standard for notification of security breaches. It will require organizations that access or collect personal information to notify individuals about security breaches involving personal information, unless there is no reasonable risk of harm or fraud. The notification requirement will apply to organizations that deal with the personal information of more than 10,000 individuals during any 12 month period. Notification will be required within a reasonable period (30 days).
In Canada, Bill S-4, the Digital Privacy Act, similarly requires organizations to report breaches of security involving personal information but only if it is reasonable to believe that the breach creates a real risk of significant harm to an individual. Significant harm includes humiliation, damage to reputation, financial loss, and identity theft, among other factors. Reporting will be required as soon as feasible after it is determined that a breach has occurred. Organizations must record security breaches involving personal information. Bill S-4 is being challenged for also including provisions that will permit organizations to disclose an individual’s personal information without their knowledge in certain circumstances. Bill S-4 has been referred to Committee before a second reading in the House of Commons.
The bottom line: Organizations in Canada and the U.S must pay attention to the ever evolving privacy regulation landscape as governments attempt to address the increasing problem of privacy breaches.