Have we forfeited our privacy?

Within the discussion at many levels was the effort to bring cyber-bullying into the conversation. Canadians want to be protected, we want our children to be protected, and we especially do not want to see another death as a result of the mindless act of vicious teenagers or anyone else.

This is relevant to security managers on a very real level. Although much of this debate has surrounded two high profile deaths of teenagers, it will affect us at the corporate level as well as the personal level.

However, is enforcement within the authority of an Act of Parliament the best approach to protecting Canadians from the insecure world of on line risks? Let’s compare this crime to other more visible criminal activity. For more than 40 years the government has spent untold dollars educating Canadians about the dangers of and how to report drug activity. Prevention through education has been a major focus of the efforts to attack serious crime. This is where Canada along, with other industrial nations, must go. Unlike the drug trade that a person would willingly enter as a consumer, everyone has a risk of being a victim of cyber crime. Regardless of whether or not you use the Internet there is electronic data on you out there that you have no control over. This data is not only held by government, there are business partners, employers and even your favourite coffee shop storing your personal data.

A typical Canadian daily routine goes something like this;

Check your e-mail / Facebook / LinkedIn
Leave home and stop for coffee
Buy gas
Travel through toll highway / bridge
Transit system
Check your e-mail / Facebook / LinkedIn accounts (again)
Lunch
On line purchases and or banking
Check your e-mail / Facebook / LinkedIn accounts (again)
Return home
Repeat…

Each of the above activities is electronically recording your presence. CCTV, debit or credit card transaction, IP addresses and GPS recording is taking place in an intrusive manner that you cannot control. You can opt not to do business with a company because they are recording your personal information, but realistically there are no options that will completely eliminate this activity. Therefore we need to educate people from all walks of life. From students to seniors we need people to understand the footprint they are leaving and the electronic data that exists with or without their knowledge and consent.

On the corporate level executives need to be educated on what information their company is gathering, how it is stored and what it is used for. Ultimately they may be held accountable if there is a breach of personal data. Winners, Target and other major retailers have suffered significant breaches and their executives have paid a price for it. Although this topic has been on the table for some time the message has not been clear.

The following is an excerpt taken from the federal justice website:

Bill C-13 would reclassify certain powers and fix gaps in investigative tools. Production orders for transmission data and tracing of specified communications would be included in the Bill as new categories. These orders would adopt the judicial authorization threshold that is consistent with the existing specific production order powers, production order for basic financial data such as an account number, given the lower expectation of privacy in relation to such data.

The above paragraph references “basic financial data” – When one considers what could fall under this context, it becomes a large pool of data on individuals or groups that many organizations collect and retain. Could basic financial data be stretched to determine how much fuel you purchase each month at your local service station or the credit information you supplied your local utility provider to set up your account? Could it be part of some detail you posted on Facebook? I believe it could and has been defined in those terms.

Protecting this data will be a key part of a Threat Risk Vulnerability Assessment for the foreseeable future. Security management must be closely aligned with the peripheral managers (IT/Privacy Officer) to provide a cohesive protection platform. Historically police agencies have had direct contact with security managers of larger organizations, the two parties would communicate on a regular basis. When the police needed information they would contact that security manager, often times no warrant or formal request was provided or requested. The justification for not formally requesting the information was almost always that the information was being shared in the interests of public safety. Good or bad, the dialogue surrounding Bill C-13 has heightened the awareness of just how much data could be shared about each of us.

From the coffee chain to the financial institution we deal with there is a tremendous amount of data out there to be shared. Someone has to manage that data internally for each organization because the request for the data from law enforcement or others will be coming. Asset protection has to be redefined to include this electronic data.

Drawing a line that connects the death of teenagers to the Boardroom door isn’t a farfetched concept. It is all connected to the privacy of Canadians and the responsibility everyone has to manage it. Without that knowledge, enforcement is going to be a very steep uphill battle for us.

Regardless of who holds our personal information, government or private industry, our privacy as we knew it is gone.

For more information visit:
http://www.justice.gc.ca/eng/news-nouv/nr-cp/2013/doc_33002.html

Roger Miller is the president of Northeastern Protection Service Inc. and a Certified Identity Theft Awareness Trainer.