Canada’s privacy watchdog just released some pretty grim details about the state of Canadians’ privacy. The so-called “Internet of Things” is collecting all sorts of sensitive data about us and quite possibly mismanaging it; yet it seems that there is not much, as individuals, we can do to protect our information.
Users of connected devices are forced to click ‘agree’ when signing on for the first time. Without saying yes, the devices cannot be used as intended. But what are we saying yes to? We want to believe that our privacy is being safeguarded by these companies, but it is time to take a closer look at their privacy policies. They are vague, and in some cases, have not been properly proof-read and still contain placeholders where specific privacy policies should be spelled out.
The Office of the Privacy Commissioner of Canada (OPC) is clearly concerned about this. The Privacy Commissioner, Daniel Therrien, has stated that “[a]s this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices.” The question remains as to how this can be accomplished. Canadians are quick to adopt new technology but, on their own, lack the resources to influence major change in the ways in which their privacy is protected. This role may be best suited for a federal body with the power to implement and enforce privacy standards. Good thing for Canadians, the OPC is proactively investigating and making recommendations on the issue, thus putting companies on notice that enforcement will soon follow.
In any event, before clicking ‘agree’ be sure to read the fine print.
Another corporate data breach. It seems like it happens almost every day. However, the Yahoo! data breach reported yesterday afternoon is not like most others.
Yahoo reported that the personal details (username, date of birth, telephone numbers, email addresses, etc.) of between 400 and 500 million user account had been stolen over two years ago, but they just discovered it recently. In fact, they didn’t discover the breach – they were notified after an internet auction site offered the information for sale. This could be the largest theft of non-company personal information ever (the Sony hack two years ago was larger, but only contained personal information of Sony employees and contractors).
Yahoo is now advising its users to change their passwords. While changing passwords on a periodic basis is always a good idea, doing it in light of this theft is even more important.
This breach highlights one of most compelling reasons to embrace Information Governance in the Internet age – it is not a matter of if you will be breached, but when you are breached. If you take this attitude, knowing what information you have so that you can protect the crown jewels becomes a no-brainer.
On August 29th, Justice Paul Perell of the Ontario Superior Court approved a settlement in the class action lawsuit against Home Depot arising from a data breach it suffered in 2014. Justice Perell said that “(t)he case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behaviour modification.”
Essentially, the court declared that Home Depot did not do anything wrong and could not have prevented the data breach. Even so, this breach cost Home Depot Canada about $520,000 in legal fees and settlement costs as Home Depot spent millions of dollars in Canada on providing its customers with credit card monitoring services. Settling a class action is now one more spend in remediating a data breach in Canada.
Home Depot responded well (it contained the breach quickly, identified the stolen information, notified affected people as soon as possible, and offered to pay for credit monitoring services). This indicates it was able to identify what information was affected by the breach.
We believe the specific data breach that Home Depot suffered could have been mitigated if it had been more proactive with a comprehensive Information Governance strategy.
The breach involved hackers gaining access to credit card terminals through a third party vendor that contracted with Home Depot. When a consumer swiped their credit card at the terminal, the card information was transmitted, unencrypted, to a central Home Depot computer for processing. Over the course of five months, the hackers intercepted the information along the way, capturing the consumer’s credit card account information, email address, and purchase data. Following the breach, Home Depot replaced the terminals with those that transmitted the information in encrypted form, so that even if it was intercepted, it could not be deciphered.
In 2013, Home Depot suffered two small data breaches. At that time, it was advised by security experts to activate the encryption function of their credit card terminals. However, it decided not to do this in order to save money.
Home Depot could have also implemented or enforced more stringent IG practices, including policies on data transmission (that would have required encryption), data retention (that may have prevented some email addresses from being stolen) and ongoing compliance monitoring (which may have allowed them to discover the breach much more quickly).
Even though Home Depot responded well to the breach, it still incurred costs in the millions of dollars. Implementing and enforcing Information Governance ahead of time would have likely mitigated costs, and been a better use for the money.