www.ipc.on.ca preserving privacy in a security-centric world ann cavoukian, ph.d. information &...
Post on 20-Dec-2015
217 views
TRANSCRIPT
![Page 1: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/1.jpg)
www.ipc.on.ca
Preserving Privacy in a Preserving Privacy in a Security-Centric WorldSecurity-Centric World
Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario
Canadian Information Processing Society (CIPS)Toronto, Ontario
January 19, 2005
![Page 2: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/2.jpg)
www.ipc.on.cawww.ipc.on.ca
Impetus for Change
Growth of Privacy as a Global Issue
EU Directive on Data Protection
Increasing amounts of personal data collected, consolidated, aggregated
Consumer Backlash; heightened consumer expectations
![Page 3: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/3.jpg)
www.ipc.on.cawww.ipc.on.ca
The New Debate:Privacy After 9/11
It’s business as usual:
• Clear distinction between public safety and business issues – make no mistake
• No reduction in consumer expectations
• Increased value of trusted relationships
![Page 4: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/4.jpg)
www.ipc.on.cawww.ipc.on.ca
Consumer Attitudes
Business is not a beneficiary of the post-9/11 “Trust Mood”
Increased trust in government has not been paralleled by increased trust in business
handling of personal information
Privacy On and Off the Internet: What Consumers Want
Harris Interactive, November 2001
Dr. Alan Westin
![Page 5: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/5.jpg)
www.ipc.on.cawww.ipc.on.ca
Information Privacy Defined
Information Privacy: Data Protection
• Freedom of choice; control; informational self-determination
• Personal control over the collection, use and disclosure of any recorded information about an identifiable individual
![Page 6: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/6.jpg)
www.ipc.on.cawww.ipc.on.ca
What Privacy is Not
Security Privacy
![Page 7: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/7.jpg)
www.ipc.on.cawww.ipc.on.ca
The Foundation of Information Security
The control of information on the part of data holders or their surrogates
Functions:• Authentication• Authorization• Confidentiality• Data Integrity• Non-repudiation• Availability
![Page 8: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/8.jpg)
www.ipc.on.cawww.ipc.on.ca
The Privacy/Security Relationship
Privacy relates to personal control over one’s personal information
Security relates to organizational control over information
These represent two overlapping, but distinct activities
![Page 9: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/9.jpg)
www.ipc.on.cawww.ipc.on.ca
Risk Management
Security Risk Management• Owner of the data is assumed to be trusted • System design is trusted
Privacy Risk Management• Custodian of data not considered trusted• System design not to be trusted
- Eg. CAPPS II
![Page 10: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/10.jpg)
www.ipc.on.cawww.ipc.on.ca
AuthenticationData IntegrityConfidentialityNon-repudiation
Privacy; Data ProtectionFair Information Practices
Privacy and Security: The Difference
Security: Organizational control
of information through information systems
![Page 11: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/11.jpg)
www.ipc.on.cawww.ipc.on.ca
Summary of Fair Information Practices
AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,
Disclosure, RetentionAccuracy
SafeguardsOpennessIndividual AccessChallenging
Compliance
![Page 12: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/12.jpg)
www.ipc.on.cawww.ipc.on.ca
The Bottom Line
Privacy should be viewed as a business strategy, not a
compliance issue
![Page 13: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/13.jpg)
www.ipc.on.cawww.ipc.on.ca
The Promise
Electronic Commerce projected to reach $220 billion by 2001 WTO, 1998
Electronic Commerce projected to reach $133 billion by 2004Wharton Forum on E-Commerce, 1999
Estimates revised downward to reflect lower expectations
![Page 14: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/14.jpg)
www.ipc.on.cawww.ipc.on.ca
The Reality of E-Commerce
United States: e-commerce sales were only 1.6% of total sales -- $54.9 billion in 2003
U.S. Dept. of Commerce, Census Bureau, February 2004
Canada: Online sales were only 0.8% of total revenues -- $18.6 billion in 2003
Statistics Canada, April 2004
![Page 15: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/15.jpg)
www.ipc.on.cawww.ipc.on.ca
Lack of Privacy = Lack of Sales
“Consumer privacy apprehensions continue to plague the Web. These fears will hold back roughly $15 billion in e-commerce revenue.”
Forrester Research, September 2001
“Privacy and security concerns could cost online sellers almost $25 billion by 2006.”
Jupiter Research, May 2002
![Page 16: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/16.jpg)
www.ipc.on.cawww.ipc.on.ca
The Business Case
“Our research shows that 80% of our customers would walk away if we mishandled their personal information.”
CPO, Royal Bank of Canada, 2003
Nearly 90% of online consumers want the right to control how their personal information is used after it is collected.
![Page 17: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/17.jpg)
www.ipc.on.cawww.ipc.on.ca
ISF Highlights Damage done by Privacy Breaches
The Information Security Forum reported that a company’s privacy breaches can cause major damage to brand and reputation:• 25% of companies surveyed experienced some
adverse publicity due to privacy• 1 in 10 had experienced civil litigation, lost
business or broken contracts• Robust privacy policies and staff training were
viewed as keys to avoiding privacy problems
The Information Security Forum, July 7, 2004
![Page 18: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/18.jpg)
www.ipc.on.cawww.ipc.on.ca
It’s all about Trust
“Trust is more important than ever online … Price does not rule the Web …
Trust does.”
Frederick F. Reichheld, Loyalty Rules:
How Today’s Leaders Build Lasting Relationships
![Page 19: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/19.jpg)
www.ipc.on.cawww.ipc.on.ca
The High Road
“When customers DO trust an online vendor, they are much more likely to share personal information. This information then enables the company to form a more intimate relationship with its customers.”
Frederick F. Reichheld, Loyalty Rules: How Today’s Leaders
Build Lasting Relationships
![Page 20: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/20.jpg)
www.ipc.on.ca
Translating Privacy Requirements into Technology
![Page 21: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/21.jpg)
www.ipc.on.cawww.ipc.on.ca
Technology and Privacy
“The most effective means to counter technology’s
erosion of privacy is technology itself.”
Alan Greenspan, Federal Reserve Chairman
![Page 22: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/22.jpg)
www.ipc.on.cawww.ipc.on.ca
![Page 23: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/23.jpg)
www.ipc.on.cawww.ipc.on.ca
Hot Topics
CIBC Privacy Breach
Government of Ontario Privacy Breach
Identity Theft
![Page 24: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/24.jpg)
www.ipc.on.cawww.ipc.on.ca
CIBC Privacy Breach
West Virginia scrap yard operator alleges that since 2001, his telephone system has been deluged with confidential CIBC customer data (e.g. SSN, account no., client signature)
Toll-free number was one digit different from an internal bank fax number
Filed a lawsuit against CIBC claiming his business was ruined
CIBC filed a court action accusing him of deliberately leaking customer data
![Page 25: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/25.jpg)
www.ipc.on.cawww.ipc.on.ca
CIBC Privacy Breach (cont’d)
Bank acknowledges reports of the misdirected faxes dating back to February 2002
An e-mail message was sent to staff to check their fax machines
The matter was not otherwise investigated or escalated to senior levels
CIBC issued a formal apology and took remedial action (e.g. notification of individuals; fax number taken out of service)
Federal Privacy Commissioner investigating
![Page 26: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/26.jpg)
www.ipc.on.cawww.ipc.on.ca
Privacy Breach:Government of Ontario
Dec 16, 2004, IPC tabled Special Report to the Legislative Assembly of Ontario on the Disclosure of Personal Information by the Shared Services Bureau, Management Board Secretariat, and the Ministry of Finance
27,258 cheques, mailed under the Ontario Child Care Supplement Program, included the personal information of another recipient
Government has committed to implementing all recommendations made by IPC
![Page 27: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/27.jpg)
www.ipc.on.cawww.ipc.on.ca
Recommendations
Independent end-to-end audit of all functions, operations and privacy practices of the Shared Services Bureau
Discontinue use of the SIN number and create a purpose-specific unique identifier
Trial run printing of several sample cheques and manual examination, before each monthly printing of cheques and stubs
![Page 28: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/28.jpg)
www.ipc.on.cawww.ipc.on.ca
Identity Theft
Identity theft occurs when someone uses your personal information such as your name, Social Insurance Number or credit card number without your permission to commit fraud or other crimes
In 2003, more than 13,000 Canadians reported to Phonebusters that they were victims of identity theft but the actual, unreported numbers are probably much higher
The Canadian Council of Better Business Bureaus estimates that identity theft costs the Canadian economy about $2.5 billion annually
![Page 29: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/29.jpg)
www.ipc.on.cawww.ipc.on.ca
Consumer Education
Businesses must continue to educate consumers about identity theft
A study released by the Ponemon Institute in November 2004 found that:
• 70% of consumers are willing to share their personal information or give the answer to a security question in response to an unsolicited phone call or email
• 61% don’t want to be forced to change their passwords to access their accounts
• 57% don’t want their accounts locked down after three failed attempts
![Page 30: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/30.jpg)
www.ipc.on.cawww.ipc.on.ca
Online Identity Theft:“Phishing”
“Spoofed” emails or pop-up messages are used to lure consumers to fraudulent Web sites which mimic actual banks or credit card companies and attempt to trick them into divulging personal information such as their names, account numbers and passwords
In November 2004, more than 1,500 fraudulent Web sites were reported to the Anti-Phishing Working Group
From July to November 2004, there was a 28% average monthly growth rate in such Web sites
![Page 31: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/31.jpg)
www.ipc.on.cawww.ipc.on.ca
“Phishing” in Canada
Phishers are targeting Canadian financial institutions and consumers but most Canadians are unfamiliar with “phishing”
A survey released by Visa in November 2004 found that:
• Only 16% of Canadians with a personal email account and Internet access were familiar with the term “phishing”
• Nearly 60% admitted that they would likely provide personal information if requested through an email from their bank or credit card company
• 4% reported that they had actually been a victim of phishing
![Page 32: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/32.jpg)
www.ipc.on.cawww.ipc.on.ca
Final Thought
“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”
Forrester Research, March 5, 2001
![Page 33: Www.ipc.on.ca Preserving Privacy in a Security-Centric World Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Canadian Information Processing](https://reader036.vdocuments.us/reader036/viewer/2022062320/56649d425503460f94a1e039/html5/thumbnails/33.jpg)
www.ipc.on.ca
How to Contact Us
Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: [email protected]