Public Safety Committee on April 3rd, 2019

That's correct.

Good afternoon, Mr. Chair and members of the committee.

Thank you for the invitation to speak to you today. I'm grateful for the opportunity given your study touches on issues with which Canadians and the Office of the Privacy Commissioner, or OPC, are seized.

I will reiterate the concerns I voiced when I appeared before the Standing Senate Committee on Banking, Trade and Commerce on its study of open banking: the financial sector must be built upon a foundation that includes respect for privacy and other fundamental rights at its core. Banks and other financial institutions must have robust standards for both cybersecurity and privacy.

It is important to clarify the difference between a privacy breach and a security breach as the two terms are often used interchangeably.

A security breach is any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms. A privacy breach is the loss of, unauthorized access to, or disclosure of, personal information, regardless of the means. A privacy breach is broader and can occur without any compromise of security systems.

And this is the challenge: cybersecurity and privacy have some overlap in that the former can help protect the latter, but in some cases, cybersecurity can create risks for privacy. For example, it is vital to ensure that cybersecurity strategies and activities do not lead to the development of massive surveillance regimes for unlimited and unending monitoring and analysis of the personal information of individuals.

Both the public and private sectors have obligations to report breaches. Under the public sector Privacy Act, that obligation resides in Treasury Board policy, which requires that OPC officials be notified of material privacy breaches. A breach is “material” if it involves sensitive personal information, could reasonably be expected to cause harm or involves a large number of individuals.

On the private sector side, the Personal Information Protection and Electronic Documents Act, or PIPEDA, requires organizations to report breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals. Organizations must notify affected individuals about those breaches and keep records of all breaches.

An example of a high-profile privacy breach is the World Anti-Doping Agency—otherwise known as WADA—case. As a result of a phishing attack in 2016, WADA's database containing extremely sensitive personal information of athletes was compromised by Russian military intelligence operators, who subsequently released some of this data into the public domain, with the threat of releasing more.

ln the OPC's WADA investigation, we concluded that cybersecurity measures should be proportionate both to the sensitivity of the personal information being protected and to the attractiveness of the information to malign actors. This reasoning also applies to cybersecurity in the financial sector. The Supreme Court of Canada has ruled that financial information is indeed sensitive. Other major breaches in recent memory have been those concerning Equifax, Ashley Madison and the Phoenix pay system.

Privacy breach reporting in the private sector has been mandatory since November 1, 2018. Since then, we have seen an approximately fourfold increase in breach reports from the private sector. With six months of private sector data breach reporting under our belt, and considerably more experience on the public sector side of the house, we have made a number of observations. These include that institutions are not always aware of the personal information they hold, where it goes or who has access to it. Oftentimes in the rush to protect against hackers, the internal threat is overlooked, yet privacy breaches involve not only loss of personal information to external forces, but also inappropriate access by internal actors. Mandatory breach reporting requirements can be a tool to enable institutions to confront the adequacy, or lack thereof, of cybersecurity plans and preparations. Furthermore, the OPC uses this information to inform our guidance to organizations.

The challenge for our office and for Canadians is to keep pace with technology. Understanding how personal data will be used, by whom and for what purpose, is equally difficult. While it's the case that privacy policies are seldom read, we may be approaching a time where how data is used is equally ill-understood. The office has done work in the area of examining notions of consent in this space, and has recently launched guidelines for organizations subject to PIPEDA on how best to obtain meaningful consent for the use of personal information.

As others have indicated before this committee, we believe that these issues are best addressed with a collaborative approach. To that end, we work together with other data protection and privacy offices on joint investigations. We participate in Global Privacy Enforcement Network sweeps, and have found that this enables sharing of best practices. The OPC also participates in the cyber security analysts network group, chaired by Public Safety, with the participation of other federal government departments. Our government advisory directorate also provides advice to federal government stakeholders in this area. Other solutions involve education and outreach for companies, particularly small and medium-sized enterprises, which are often hard pressed to ensure their information, including personal information, is adequately safeguarded.

ln conclusion, privacy regulators and advocates have a role to play to ensure that cybersecurity strategies, principles, action plans and implementation activities promote privacy protection both as a guiding principle and an enduring standard. We also need to reform our privacy legislation to make it fit for purpose to ensure that the privacy of Canadians is protected as technologies and economies change, including those in the financial sector.

I welcome your questions.

[Inaudible—Editor]

Offhand, I do not know of how we can gauge unreported incidents that would be more than big estimates. We have a comparison of what was voluntarily reported before November 1. We now have some indication of what's been reported since November 1.

Have we studied this issue...?

I think on the public sector side of the house, sometimes what happens is that there are institutions that are holders of personal information and that, according to the sense we have from other reporting, may have under-reported. In that case, we can reach out to them and suggest that perhaps breach training is required. Sometimes the breaches are published in the media as “security incidents”, and they are in fact privacy breaches, or there's a privacy element in there as well. We can reach out to institutions or to companies. So there is some sense, but as to how to measure what we don't know, we don't know yet. Perhaps when we have more reporting, we'll be able to track some trends more carefully.

We're currently taking a serious look at our transborder data flow guidance. We intend in the not-too-distant future to consult widely on this guidance. It's a live issue for our office. We're thinking deeply about it and trying to solicit input from various stakeholders.

Yes.