IT security experts often focus on hunting down malware makers and vulnerabilities in organizations, while government privacy commissioners work separately at protecting personal data.
Sometimes it seems they have conflicting goals.
But the federal privacy commissioner has told a Montreal security conference that its time the two groups worked closer.
“It is imperative that cyber security specialists and data protection authorities like the OPC, (Office of the Privacy Commissioner) work even more closely together to improve the defences in the private sector, and ensure privacy protection is a guiding principle in cyber security efforts,” Jennifer Stoddart told a meeting of the Messaging Malware and Mobile Anti-Abuse Working Group on Wednesday.
The group includes telecommunications and security companies.
Exchanging knowledge and honing of best practices “is essential for more effective cyber security,” she said in prepared remarks released to the media. “Better cyber security is a prerequisite for effective privacy protection,” she added.
As an example, she said, her office and the Dutch Data Protection Authority collaborated last year on a joint investigation of WhatsApp, a mobile app developer based in California with hundreds of millions of customers worldwide, because it contravened privacy laws both in Canada and in the Netherlands. The company agreed to improve its privacy protection.
Last May 19 privacy enforcement agencies, including Stoddart’s, collaborated in an Internet sweep to examine the posted privacy policies of almost 2,200 websites and nearly 100 apps.
Almost a quarter of the websites and apps had no privacy policy available, the investigation found. Mobile apps were especially poor with more than half lacking a privacy policy entirely and more than 90 per cent raising concerns about how they present information on their privacy practices.
The sweep “highlighted the importance of organizations explaining their privacy practices in a fashion that is both transparent and concise,” she said. “People need and deserve such explanations so they can make meaningful decisions in exercising control over their own personal information.”
According to a survey done by her office, Canadians overwhelmingly said they want to be notified if an organization they have given personal information to suffers a data breach or loss. At the same time almost 60 per cent doubted they get it.
“This dual expression of public concern and pessimism should act as a warning flag for those in IT executive suites . . . and to those on the IT front lines as well,” Stoddart said. The potential harm to organization brands from data breaches is significant and on the rise. That alone should be an incentive to make cyber security and accountability a greater business priority.”