Spend to improve data protection and customer trust, urges BC privacy commissioner

Companies hoping to save money by not investing in data protection technologies don’t get much sympathy from British Columbia’s information and privacy commissioner.

“It’s one of those things you have to weigh,” Michael McEvoy told the IdentityNorth Spring Symposium on Wednesday. “It’s a bit of a risk assessment — how sensitive is the data? How vulnerable are you? And then think about what would happen if things go wrong, and what the consequences of that would be.”

Screen shot of BC information and privacy commissioner Michael MeEvoy
BC Information and Privacy Commissioner Michael McEvoy, left, and IdentityNorth co-chair Aran Hamilton

Even in the B.C.’s multi-million dollar public health sector “my sense was there was a reluctance to invest those funds” in data protection, he said. But “if things go sideways the implications of harm to individuals will undermine the trust that people have in the system.”

In 2021, he noted, Newfoundland and Labrador temporarily had to shut down the provincial healthcare system because of a cyberattack. Lives can be at stake if there’s a breach of security controls, McEvoy pointed out.

Having trouble deciding what to do? Privacy regulators can advise companies on how to measure their security and privacy risks, he added.

He also urged firms to invest in proactive IT security auditing systems to find and plug vulnerable systems and processes before an attack. A program that audits logs after an event is useless, he said.

Last year, McEvoy investigated B.C.’s Public Health Information System — which holds sensitive patient data — and concluded, “very disturbingly, there exists no proactive audit program that would alert authorities to those who try to use the system for nefarious purposes. Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act.”

“What you want to be doing is get on top of that before things develop,” he told the conference.

Proactive auditing tools are expensive, he admitted. “But where the stakes are very high there needs to be a high investment in securing that information.”

Going into the final 12 months of his term, McEvoy said he hopes B.C. will amend its private sector privacy law to force businesses to report data breaches to his office in some way. Of the four jurisdictions in Canada with private sector privacy laws (including Alberta, Quebec and the federal government), only B.C. doesn’t have mandatory breach reporting. “In this day and age, that is obviously not acceptable to the public, not acceptable to companies who are doing proper work. We want to create a level playing field (with the other jurisdictions). We would expect the government of British Columbia to step forward to ensure that the private sector is covered.”

That may depend on the progress of the proposed federal private sector law C-27 now before Parliament, he added.

Related content: Criticism of C-27

McEvoy also approvingly noted that, starting this year, the 2,900 public sector organizations in B.C. (including municipalities and school boards) have to report breaches of security controls to his office. Quebec was the first of the provinces to require this.

On the other hand, he said, Quebec didn’t wait for federal law reform, and recently amended its private sector law. That includes a provision that any firm collecting biometric data (images, fingerprints) has to notify the privacy commissioner.

“Stay tuned for a report that our office will be looking at use, I think, of biometrics in the retail sector with regards to facial recognition technology,” McEvoy added. “You do see oftentimes companies looking at this shiny new technology and thinking about its use, but I don’t think they think deeply enough about it and the implications for protecting the privacy rights of their customers and clients.”

In 2020, the privacy commissioners of B.C., Alberta, Quebec and the federal government joined in a report that censured mall owner Cadillac-Fairview for collecting and analyzing 5 million shoppers’ images without their knowledge or consent.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer. Former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, Howard has written for several of ITWC's sister publications, including ITBusiness.ca. Before arriving at ITWC he served as a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs