Page 35 - CCCA63_2008
P. 35
CCCA_V2No3_BreachofTrust-FIN.qxd:CCCA_V1No1_DriversSeat-FIN.qxd 9/18/08 5:33 PM Page 43 Feature have their own private sector privacy legislation (currently, B.C., “An example would be my father-in-law, who lives in San Alberta and Quebec). Francisco but still has Canadian bank accounts, magazine subscriptions With regard to data breaches, the most pertinent of the legisla- and so on,” he says. “He has rights under the California legislation. If tion’s key principles concerns safeguarding data. The law expects a Canadian company were not to comply with it — if his personal companies to safeguard confidential information in three ways, information is breached — they have likely violated that California explains Kon: physically, organizationally and technologically. law. It is mirrored in all the other states.” Breach notification legisla- “’Physical’ safeguarding refers to things like locking doors and tion doesn’t exist in Canada, but the possibility of introducing it comes desk drawers, or not leaving things out in washrooms or cars,” she up for discussion regularly in the context of PIPEDA. says. “’Organizational’ means limiting access to data on a need-to- know basis — for example, there should be job-related reasons why An ounce of prevention a [person in a] particular role would need access to certain kinds of The best advice about preventing breaches for most companies, personal information. And ‘technological’ means firewalls, virus says Fraser, is to act as if breach notification legislation is already checkers, ongoing troubleshooting.” in place here. This can mean doing a number of things, begin- Quite apart from what governments expect companies to do to ning with carefully assessing vulnerabilities. “Where are all the protect consumer information, there is the matter of what con- places where information can be lost, and are there risks of loss sumers expect companies to do. Most states in the U.S. now have that can be mitigated along the way? Are we sending data disks what’s known as “breach notification legislation,” requiring compa- by courier? It’s better to transport that information digitally in nies to notify consumers if their personal information has been an encrypted form over a virtual private network.” compromised. What Canadian companies might not know, says Employees should not have access to more information than Fraser, is that the U.S. legislation could apply to them too, despite they need, nor should they have opportunities to surf for cus- the fact that Canada has no such legislation of its own. tomer information, says Fraser. “There certainly have been cases “All of these state laws deal with information about residents of of employees taking large amounts of customer information and those states. They don’t refer whatsoever to the location of the infor- selling it, or using it themselves for fraudulent intent.” mation,” Fraser explains. If there’s enough of a “real and substantial Next, companies should look at where information is vulnera- connection” between a company and the jurisdiction where its ble. “If employees travel with laptops, do they contain personal customer resides, a court order or judgment in that jurisdiction may information?” asks Fraser. “If yes, is the information secure, is it be enforceable in Canada against that company, says Fraser. encrypted, are they sure that if somebody were to steal the laptop, Bris de confiance Les conséquences d’une fuite d’information ou une violation de sécurité peuvent être dévastatrices pour une entreprise. Elles surviennent pourtant chaque jour. Voici comment minimiser ou annihiler les risques – et que faire si vous n’y parvenez pas. n 2001, des employés de la CIBC à travers de trois millions de dollars contre l’insti- dépendamment de quelle définition vous Ele pays ont commencé à faire une chose tution financière, pour négligence et oc- donnez à cette notion de violation, elles étrange : faire parvenir des informations con- casions d’affaires perdues dû au fait que son surviennent probablement chaque jour. fidentielles de clients à une cour à ferraille de télécopieur était occupé. la Virginie de l’Ouest, via télécopieur. Les for- CIBC a éventuellement fait des excuses Des coûts croissants mulaires contenaient des détails personnels et publiques et annoncé un changement dans Les fuites d’informations confidentielles ne financiers comme des numéros d’assurance ses procédures de sécurité. Mais à plusieurs sont pas seulement attribuables à la simple sociale, des adresses résidentielles, des numéros égards, le mal était fait, et plusieurs clients négligence ou à la fraude de certains de téléphones et des informations détaillées avaient déjà exprimé leur ressentiment en employés; il existe en fait plusieurs person- sur des comptes bancaires. une de différents journaux. nes qui se font un point d’honneur à tenter Malgré des tentatives apparemment Ce n’est pas tous les jours qu’une institu- de pénétrer dans les registres de clientèle. soutenues de la part de l’opérateur pour tion financière majeure fait parvenir les Un exemple mémorable est survenu en arrêter l’avalanche de télécopies, elles ont informations privées de ses clients à un spé- 2005, lorsqu’un correspondant de la revue continué à affluer, pendant près de trois ans. cialiste de la ferraille. Mais d’autres violations Maclean’s a réussi à obtenir le numéro de Le commerce en a tant reçu, que son pro- de données confidentielles sont étonnam- téléphone de Jennifer Stoddart, la Commis- priétaire, Wade Peer, a intenté une poursuite ment fréquentes. En fait, disent des experts, saire à la vie privée du Canada. Le journaliste AUTOMNE 2008 CCCA Canadian Corporate Counsel Association 43
