  |
 |
|
Research and retrieval of news articles by: SPECIAL NOTE TO ALL VISITORS: | ||
 |
|
CANADIAN FIRMS PUTTING A LOCK ON DATA PRIVACYSource: The Globe And MailPosted on April 15, 2008 Last year, when Canadian Imperial Bank of Commerce subsidiary Talvest Mutual Funds was forced by the federal privacy commissioner to reveal it had lost a file containing confidential information on almost half a million clients, Jeff Green must have felt a shudder of sympathy mixed with schadenfreude. Such a public drubbing over handling of private data is the nightmare of any chief privacy officer - especially one who works for a bank. But for Mr. Green, the privacy czar at Royal Bank of Canada, it's not accidental gaffes but targeted attacks that cause the most concern. "We have to ensure that the information clients have given us is safeguarded, and is only used for the purposes for which they have given it to us," he says. Working in concert with RBC's chief information security officer - as well as privacy "designates" or "champions" at every business unit and branch who report to his team - Mr. Green is responsible for putting in place policies that protect clients' data and training employees in these procedures. Recently, his team launched a Phishing Resource Centre to help customers avoid tricksters digging for their financial information. Scammers who go "phishing" use official-looking websites or e-mails to try to get customers to supply their personal or account information. High-level executives charged with keeping consumer data safe from scammers and snoopers are increasingly common at major Canadian companies, especially those with vast databases of personal client information, such as financial institutions, utilities and telcos. And, according to a report by Forrester Research in Cambridge, Mass., their efforts are making Canadian corporations privacy leaders. "The Privacy Commissioner in Canada and individual provincial commissions have highlighted privacy as an issue, and so consumers are more aware of it and are pushing for it more," says Jennifer Albornoz Mulligan, the report's author. As a result, among the more than 2,000 organizations in five European and North American countries surveyed, Canadian companies came out on top as most likely to implement comprehensive privacy programs, educate employees about privacy and track privacy policy breaches. Forrester found that 84 per cent of Canadian organizations - the highest proportion - reported having formal privacy programs involving representatives from multiple departments, compared with fewer than half the companies in France. As well, nine out of 10 Canadian organizations polled said they go beyond personal data to cover corporate information in their policies - again, the highest percentage among the countries studied. Ms. Albornoz Mulligan notes that privacy laws vary around the world, but Canada benefits from having national legislation. The Personal Information Protection and Electronic Documents Act, introduced in 2001, applies to most businesses that collect, use or disclose personal information. The act requires that someone be accountable for implementing and monitoring policies covering the reasons for obtaining the information, ensuring consumers have consented to the data-gathering and safeguarding against unauthorized disclosure. Today, chief privacy officer responsibilities are often tacked onto those of the head of information technology or security, but Ms. Albornoz Mulligan expects to see more dedicated privacy czars at public companies. "People have been mostly concerned about security, so privacy was given short shrift. But a lot of solutions to security problems are technology-based, while privacy is more about process and education than technology." That said, she adds, "If you don't have good security, you can't have privacy." While large Canadian companies, prompted by a slew of embarrassing breaches, have been putting more of a focus on their privacy policies, they're reluctant to come clean if their system has been hacked or customer data lost. And that, says Michael Geist, a University of Ottawa professor specializing in Internet and e- commerce, is a flaw in the Canadian privacy laws. Prof. Geist believes the commissioners are too timid in disclosing the subjects of privacy complaints, pointing out that in the U.S., when the Federal Trade Commission launches an investigation into a privacy violation, the announcement of that fact alone serves as a deterrent to others. "The Canadian law provides scope to disclose, but it's done only in rare cases," Prof. Geist says. Most U.S. states require companies to inform clients if the security of their private information has been compromised, whether by a hacker or an employee who lost a laptop, and that means notifying every individual affected. Such mandatory disclosure doesn't exist in Canada, says Prof. Geist, and what we do find out often comes through leaks to the media. Ms. Albornoz Mulligan agrees that having to disclose a data breach would serve to make Canadian companies more cautious. "We've seen that public-shaming approach work very well here," she says, "plus it costs the companies money to send out all those letters."
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes. |
|
ALERT  WebTrust Is Your Best Defense Against Privacy Breaches. Get WebTrust Working For Your Site. |