Welcome to Cyber Security Today. This is the Week in Review edition for Friday,August 5th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
I’m off this week so there won’t be the usual review of news highlights with a guest commentator. Instead we’re presenting a repeat interview with privacy expert Ann Cavoukian. A privacy strategy is a vital component of any organization and her insight should be considered by the C-suite.
A former Information and Privacy Commissioner for the province of Ontario, she’s best known for creating the Privacy by Design framework. It calls for privacy to be taken into account throughout an organization’s entire IT and operating processes to protect personal and financial information. Privacy by Design has been adopted by numerous companies and countries. It’s a fundamental obligation of firms coming under the European Union’s General Data Protection Regulation.
Currently, Ann is the executive director of the Toronto-based Global Privacy and Security by Design Centre, a senior fellow of the Ted Rogers Leadership Centre at Ryerson University and a faculty fellow of the Center for Law, Science and Innovation at the Sandra Day O’Connor College of Law at Arizona State University.
I started by asking Ann to describe her work at the Global Privacy and Security by Design Centre.
Ann Cavoukian: There is so much interest in privacy these days and my messaging has always been you can’t just look at privacy. You have to look at privacy and security together. They complement each other. Instead of thinking of one versus the other, or some kind of ‘zero-sum either-or model,’ get rid of that dated view and create a web of both privacy and security intertwined. It’s very important to protect your data.
Howard: So you see privacy and cybersecurity as intertwined.
Ann: Absolutely. You know why? The term privacy subsumes a much broader set of protections than security alone. In this day and age of daily phishing and hacking, if you don’t have a strong foundation of security from end to end with full life cycle protection you don’t going to have any privacy. So you have to address both.
Howard: The center will certify organizations. Tell us about the certification process, what it means and why it’s important for an organization to be certified.
Ann: I work with KPMG on the certifications for Privacy by Design. And the reason it’s important and why so many companies are coming forward is there is such a trust deficit now. People don’t trust companies. They don’t trust anybody, understandably. When you are certified for Privacy by Design it is the highest level of protection. You can extend to your customers, and people get this. They’re looking for it. So I tell companies who come to us to be certified so that they can demonstrate to their customers the lengths they’re going to protect their privacy. Shout it from the rooftops, put it on your website, go to great lengths to tell your customers the lengths you’re going to protect their privacy. They love it. It builds trust like no other and it restores trusted business relationships with your customers. Which is out the door for the most part.
Howard: I asked you to be on this particular episode because today [January 28th] is Data Privacy Day. What does that mean to you? What should organizations be doing today and thinking about in terms of their privacy strategy their privacy policies?
Ann: I remember years ago when I was [Ontario’s] privacy commissioner when we first established Data Privacy Day globally on January 28th. It’s so important because what it tells to businesses, and, hopefully, governments, is people care deeply about privacy. You have to go these days to great lengths to ensure the protection of your data and your privacy because surveillance is mounting. It’s everywhere and it’s just unprecedented, the amount of surveillance that is taking place. So Data Privacy Day has taken on a new focus globally to remind people and companies — and especially governments — you have to protect people’s privacy all the time. You don’t just do it when you feel like doing it or and you think there’s some vested interest for you. You have to do it on a regular basis and you have to embed it. That’s what Privacy by Design is all about — embed it deeply into your operations bake it into the code so that people can’t forget about it. It’s always present. People are demanding this. They deserve it. Privacy forms the foundation of our freedom. If you don’t have strong privacy you’re not going to have a free and open society. So it’s absolutely critical to preserve our freedom. People have to be the ones to decide how their personal information is used and to whom it’s disclosed. This is essential.
Howard: How often do you hear leaders of organizations say, ‘I have to be more concerned about revenue and profit than privacy and security.’
Ann: I do a lot of public speaking. I speak to a lot of boards of directors and businesses and whenever I come into the boardroom people are shaking their heads. They think I’m going to shut down their business. And I say, give me 10 minutes let me tell you how Privacy by Design will actually increase your operations your revenue generation, will attract more customers. And then I get their attention. And I say it’s not privacy versus what you’re doing versus your operations. We know you have to generate revenue. But you can do it better if you embed privacy into the process because it will attract more customers to your operations. It will retain the customers you have and preserve their loyalty. It can’t be business interests versus privacy. You have to get rid of that model. It has to be both. So when you go to great lengths to protect your customers’ privacy and let them know what you’re doing they will come to you in droves. They will stay with you. They will attract other customers. It is essential to extend the privacy protection that you’re offering at your company and that will increase your revenues, not the opposite.
Howard: Let me ask the same question in a different way: How often do you hear data privacy officers or IT leaders complain that their management is more concerned about revenue than privacy and security?
Ann: Unfortunately, too often. This is a steep hill and I’m not suggesting we’re there though there are hundreds of companies that have become certified for Privacy by Design. We should have thousands of companies. So yes, it takes time to get this view across to everyone. Increasingly I’m getting more and more contacts and requests to speak to companies because they’re seeing how much people are demanding this. They’ve had it with companies who abuse their information, who make it available to third parties for purposes that are not authorized, that have not been consented to. So if you want to retain your customers and attract new opportunities, lead by telling them the lengths you’re going to preserve their privacy. They will reward you with repeat business and you will gain a competitive advantage by doing so.
Howard: What’s your most convincing argument for getting business leaders to accept Privacy by Design? Do you have a case study?
Ann: I point them to examples where the lack of privacy has led actually to companies shutting down, where people have just walked away from it. I remember Target stores a number of years ago. They opened Target branches in Canada, and this is great because I love Target. I shop there in the ‘states and I was so pleased that they had it here in Canada now. But a number of years ago it had a major data breach. The CIO of Target in the United States resigned. They were appalled at how much information went out the door … It shut down all of the Target stores in Canada. They [customers] heard about the data breach and they were going elsewhere. So that’s just one example of how this can how damaging this can be to your business if you don’t take privacy seriously.
[Reporter’s note: There have been news articles saying the failure in Canada of Target was due to supply chain failures]
Howard: Do organizations still collect too much personal data? They’ll tell you they need to know their customers. And because they need to know how many men and how many women and how many from this demographic age group and how many from this part of the country they need to collect it.
Ann: They do collect too much in personally identifiable form. What I say to companies is, you want all that information? I understand that. Strip the personal identifiers securely from your data because then you’ll have data but you won’t have privacy risks. So you have to use strong de-identification protocols combined with the risk of re-identification framework. Then you dramatically minimize your risk of re-identification to less than 0.05 five percent. Then you’re free to use the data for purposes like you described for research and understanding your operations, but you can’t use that data in personally identifiable form.
Encryption is such an amazing tool, especially if you encrypt your data. You can have tons of valuable data that will not be at risk because no one else can gain access to it. It’s encrypted. You’re the only and who has the key.
Howard: It’s a valuable defence in ransomware attacks where they use the double extortion technique, where not only do they do attackers scramble the corporate data and they first steal a whole bunch of it and then they blackmail the organization: If you don’t pay us for the decryption key we’re going to release your data. Well, if data has been encrypted it doesn’t matter that the thieves steal it.
Ann: Exactly, because what they’ve stolen will be of no value to them in terms of gaining access to personal information.
Howard: A couple of years ago there was a data theft from the Desjardins credit union. The data of 9.7 million customers was stolen, unfortunately by an employee. But data of about 4 million of those were former bank customers whose accounts had expired, but the bank kept the data. Again, perhaps legitimately, the bank wanted to keep their names and addresses so they could send ‘Hey, come on back to us’ messages. But I think there’s a perfect example of how holding unencrypted data can hurt an organization.
Ann: Exactly. Why were they holding onto the data if 4 million customers who already left? That is appalling. These are the examples we have to give to companies that retaining data that you no longer need is not a good idea. If you no longer need the data, delete it securely, Give your customers that ease of knowing that their information is no longer at risk, and give yourself the benefit of saying, ‘I don’t have to worry about that anymore.’
Howard: We’ve talked about protecting data and not collecting more personal data than necessary. What about making corporate data collection policies simpler for consumers so they can read a relatively short description of what information is collected and how it’s going to be used and how partners are accessing it. Then the consumer better understands what an organization’s privacy policy is.
Ann: That is so important. When you tell people to read a five-page policy, forget it. No one’s going to do that. You have to keep it very, very simple. And it can be as simple as, ‘We use your information for this purpose, and that’s it.’ If there’s more things you say so. You have to keep it simple so people can accept it. They can give their authorization, their consent to it. It’s very important to involve your customer in what you’re doing. Don’t expect them to read reams of information and your policy. Nobody does that, and it’s not because people don’t care. Concern for privacy is at an all-time high. In the past two years all of the public opinion polls have come in at the 90 percentile for privacy concerns. Get rid of these stupid long privacy policies no one’s going to read. Just have little points that identify exactly what you’re going to be doing with their information.
Howard: Before closing I want to encourage IT and business leaders to read some of the decisions of the Canadian federal and provincial privacy commissioners on why organizations have violated their respective privacy laws, as well as their investigations of major data breaches. In the U.S. there will be reports from some state authorities. They’re very informative.