  |
 |
|
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: | ||
 |
|
RECOVERING FROM A PRIVACY BREACHSource: The Globe And MailPosted on November 23, 2010 Stung by an audacious privacy breach two years ago, Toronto-based Mortgage Alliance Canada moved immediately to contain the damage and bolster the brokerage firm's security strategy - and has not relaxed its vigilance since. John Gabriel, director of compliance and education, now personally vets all hires. He restricts access to consumers' credit information until employees new to the industry have been with the firm for at least two months. The head office "is locked down every night," Mr. Gabriel said in a recent interview. The company has moved away from paper files and stores all documents in a software system protected by firewalls and backup firewalls. Laptops are password-protected and, even if someone cracks the laptop password, another code is needed to gain entry to corporate files. Mr. Gabriel also conducts what he calls the "MAC Academy" three times a year for brokers across the country, reminding agents about their privacy obligations and apprising them of new or emerging risks. These sweeping measures have gone a long way to improve safeguards for consumers, said Mr. Gabriel, who adds that he will always regret that security was breached in the first place. In 2008, Mortgage Alliance Canada and at least a dozen other mortgage brokerages in Ontario were infiltrated by people who falsely represented themselves as legitimate mortgage agents, the Office of the Privacy Commissioner of Canada said in an audit report issued earlier this year. Once hired, "the fraudulent agents gained access to the Web-based credit-reporting tool and obtained hundreds of credit records unrelated to mortgage applications." With more and more data routinely stored online, "personal information is vulnerable to a variety of risks, including loss, misuse, unauthorized access and unauthorized disclosure," the Canadian Institute of Chartered Accountants says in a policy document on privacy issues. "Those vulnerabilities raise concerns for organizations, governments and the public in general." Crime and fraud related to personal information is becoming more pervasive, Ernst & Young LLP indicated in a report on top privacy issues in 2010. "In the light of identity theft, financial fraud and even medical identity theft scenarios being perpetrated, regulators are seeking and often receiving greater enforcement powers," the firm writes. Mr. Gabriel first got an inkling that something was wrong when he started getting calls from consumers about unauthorized use of their credit cards. Then he got an inordinately expensive invoice from the agency his firm uses to check the credit worthiness of mortgage applicants. (The agency has since moved to a system of "velocity reports" that flags unusual activity.) He alerted the police, the privacy commission and consumers who may have been the victims of identity theft, and worked with investigators to identify the source of the problem. Background checks of new employees would have prevented the breach, the privacy commission said in its report. "However, the mortgage brokerages we audited were pro-active and contacted our office to determine how to contain and mitigate the breaches É in this regard, we note that breach notification demonstrates good privacy practices and builds trust." When consumers' financial data has been compromised, "the need for effective and timely management of privacy events and incidents remains a critical issue for all organizations," Ernst & Young said in its report. Even so, it can be difficult for any business to rebuild confidence after a privacy breach, said Paul Battista, a partner in Ernst & Young Canada's national advisory practice. Among the steps that organizations should take to minimize privacy risks are appointing a high-level executive to oversee privacy and compliance. It's an issue that should be baked in at the governance level, Mr. Battista said. "Our clients can't be too vigilant." Security processes need to be constantly tested and retested, he said, adding that "in the digital world we live in now, the so-called bad guys keep getting more and more sophisticated. "Our clients have to be ever more vigilant about the sophistication and the thought processes of how the bad guys think as they try to penetrate and compromise security." Technological advancements have transformed the way business is conducted, Ernst & Young said in its report. As a result, "getting a handle on the new technology that is transforming business is critical to transforming how organizations need to manage privacy." Mr. Gabriel said Mortgage Alliance Canada's new software system passed muster with the privacy commission auditors. As a member of the fraud subcommittee of the Canadian Association of Accredited Mortgage Professionals, Mr. Gabriel stays apprised of emerging risks, whether low-tech or high-tech, and keeps his firm's national network of brokers informed. "When I was first doing mortgages [24 years ago], I would meet you at my office and take down the information. I would courier that information to the lender downtown and then send a courier to pick it up. If there was a breach you could easily pinpoint it," Mr. Gabriel said. Digital risksSafeguarding the privacy of personal information is a central challenge for businesses as more organizations outsource their data collection and storage, Ernst & Young LLP says in a white paper on the topic. For instance, "cloud and utility computing afford new economies and efficiencies to information processing, but it spreads the custody and control of personal information well beyond the organization's traditional boundaries," the Ernst & Young report says. Paul Battista, a partner in Ernst & Young's national advisory practice, says organizations should weigh whether the cost savings are worth the risk. His firm recommends that clients consider whether to entrust their most sensitive data to a third party. There is less risk in outsourcing the management of lower-level data where, if a privacy breach occurred, "the reputational impact will be minimal," he said. The Canadian Institute of Chartered Accountants notes in aÊguide to generally accepted privacy principles, "The organization cannot outsource its ultimate responsibility for privacy for its business processes." A thorough safety audit should also address the protection of information on laptops and other mobile devices as more employees take their work home and on the road, Ernst & Young advises.
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
|
ALERT  WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |