Offering frontline workers training in privacy policies and practices is absolutely crucial, says Ann Cavoukian, Ontario Information and Privacy Commissioner.
“Privacy and data security are of no use if they remain at the executive level,” Cavoukian told members of the Canadian Institute of Chartered Accountants (CICA) at an event in Toronto earlier this week.
She recalled how department store cashiers sometimes ask customers for their social insurance numbers (SIN). “If you ask them whey they need your SIN, they don’t know. It’s the managers who know why. In fact, stores don’t really need it.”
Cavoukian said frontline workers should be trained on privacy policies and practices as they are the face of the company. “They’re the ones who interact with the customer.”
A new book for business owners that looks at the protection of confidential customer information and data security was launched at the event.
Published by CICA, the book is titled The Canadian Privacy and Data Security Toolkit for Small and Medium Enterprises.
It’s authored by Claudiu Popa, a security specialist and president of Informatica Security Corp., an information risk management, security and privacy consulting firm in Toronto.
Cavoukian endorsed the book, while reminding attendees that companies and their customers benefit most when good security and privacy practices are woven into tech and business processes.
“Privacy is too valuable a concept for remedial measures to be left to the courts.” Rather firms should build such safeguards into their business,” she said.
“Embed privacy into the design of IT, cloud computing, into the structure of your network, it’s got to be there in the core.” She said she doesn’t believe in businesses trying to solve privacy problems after-the-fact.
Read related stories
Be aware of 5 Ps when posting to Facebook, says Ontario Privacy Commissioner
Four ways SMBs can prevent data loss without breaking the bank
Three ways to protect yourself from a Heartland-style data breach
How to keep your laptop data private and safe
Cavoukian noted that she can’t go after every business flouting privacy laws. Cases investigated by her office, she said, represent the tip of the iceberg.. “I don’t have 500 privacy policemen to go scouring for infractions.”
Business and privacy can thrive together, the IPC said. “Privacy isn’t anti-business; it’s about allowing the consumer to determine how their information will be used.”
Any loss of customer information could be disastrous for a business, said Nicholas Cheung, a principal in CICA’s assurance services development department.
“If an SMB loses a client’s information, it breaks the bond of trust with that customer and tarnishes its own reputation,” he said.
Customer data loss can also be very costly for a business.
In data breach incidents, firms spent an average of $202 per compromised customer record, according to research from Traverse City, Mich.-based Ponemon Institute LLC.
The cost includes potential business and customer loss, as well as expenses associated with breach detection, escalation, notification, legal responses and reputation management.
Small and mid-sized firms are often in denial on the issue of cybercrime and data security, according to a survey by security firm McAfee Inc.
In a McAvee poll of 500 IT decision makers in SMB outfits, as many as 44 per cent said cybercrime is only an issue for larger businesses. Nearly 44 per cent believe they aren’t “valuable targets” for cyber crooks.
More than half the firms polled (42 per cent) said they dedicate just one hour a week to proactive IT security management, though 21 per cent realize an attack “could put them out of business”.
Popa of Informatica Security said his book offers SMBs basic information on how to set up privacy policies and practices.
“It provides information – in printed and CD form – that mid-level managers and executives can use to [strengthen] privacy and data security.”
Popa’s book contains:
- A security checklist and self-assessment questions and quizzes to determine an organization’s information risk level
- Advice on privacy and security risk in key areas, such as accounts payable, sales and marketing
- Training templates and a customizable privacy policy
- Advice on identifying privacy and data security-accountable persons in the organization
- Informative articles and resources on privacy and data security
“The kit is compact and comprehensive so it gets read and shared across the business rather than just sitting on the shelf,” Popa said.