TORONTO – With PIPEDA up for review in the coming months, Canadian governments should take the opportunity to look at adopting privacy legislation that has stiffer penalties and is more clearly defined in terms of how businesses should set up their security practices, according to privacy experts.
Speaking at an event on online identity theft in Toronto in March, retired Deloitte partner Robert Parker said Canada’s Criminal Code does very little to protect victims of identity theft.
Privacy Commissioner Jennifer Stoddart has started to publish more offenders on her Web site – and that’s the only penalty, he said. Parker also said the legislation on top of the voluntary code is confusing.
“The (government) needs to clarify the legislation by streamlining it,” he said. “There aren’t definitives in terms of what companies need to do to safeguard information.”
In the U.S., on the other hand, legislation passed in California in 2004 provides additional obligations if unencrypted personal information is compromised.
“In the U.S. if you don’t treat an individual’s data properly you will be punished,” said Parker.
Businesses should have an audit process written into their overall privacy policy in case of legal action. MTS Allstream solutions architect Ian Docker said auditing provides a tamper-proof record of transactions in a company’s systems. “That record can be used to pursue legal matters,” said Docker, who also spoke at the event. “It is essential in detecting fraudulent uses of the system.”
Social insurance numbers abused
Because many cases of identity theft were perpetrated through non-intended use of social insurance numbers, most organizations have stopped using it as a personal identifier.
“Organizations are decreasing their requirement of SIN cards as an identifier,” he said.
Following registration, enrolment is the next step that compares an individual’s information with their access rights. After that, a company must have a provisioning system in place, which is an automatic process of creating user credentials. By doing this automatically, companies save on overhead and help to reduce human errors.
The provisioning process also works in reverse to remove a person’s access to a system, for example, not allowing former employees of a company to access their voicemail.
Companies must take implement authentication and access control measures to allow them to authorize and make sure the people they are talking to are the people they say they are. In this instance, Docker said, companies are increasingly using strong authentication methods such as three-factor authentication to prevent individuals from getting access to a system that they don’t have privileges for.
Following auditing, Docker said, companies must adopt single-sign-on solutions such as smart cards that require a user to only enter one password to gain entry to multiple systems.
“Since they don’t have to remember 15 passwords, they can have stronger, longer passwords,” Docker said.