TORONTO — With PIPEDA up for review in the coming months, Canadian governments should take the opportunity to look at adopting privacy legislation that has stiffer penalties and is more clearly defined in terms of how businesses should set up their security practices, according to privacy experts.
Speaking at an event on online identity theft in Toronto Wednesday, retired Deloitte partner Robert Parker said Canada’s Criminal Code does very little to protect victims of identity theft.
“There are no penalties but putting someone’s name on the (Privacy Commissioner’s) Web site,” said Parker, adding that the federal Privacy Commissioner Jennifer Stoddart has started to publish more offenders on her Web site.
Parker also said that the voluntary code on top of legislation is confusing.
“The (government) needs to clarify the legislation by streamlining it,” he said. “There aren’t definitives in terms of what companies need to do to safeguard information.”
In the U.S., on the other hand, legislation passed in California in 2004 requires businesses to encrypt any sensitive information that they might have on their customers that’s stored in databases.
“In the U.S. if you don’t treat an individual’s data properly then you will be punished,” said Parker.
“That record can be used to pursue legal matters,” said Docker, who also spoke at Wednesday’s event. “It is essential in detecting fraudulent uses of the system.”
Auditing is one of six areas that is part of Allstream’s approach to identity and access management, which Docker outlined as part of his presentation.
Registration entails the gathering and verification of user identification information. This helps to reduce customer fraud when proper business processes are applied to validate an individual’s identification.
Because many cases of identity theft were perpetrated through non-intended use of Social Insurance Number cards, most organizations have stopped requesting it as a piece of identification, said Parker.
“Organizations are decreasing their requirement of SIN cards as an identifier,” he said.
Following registration, enrollment is the next step that compares an individual’s information with their access rights. After that, a company needs to have a provisioning system in place, which is an automatic process of creating user credentials. By doing this automatically, companies save on overhead and help to reduce human errors. The provisioning process also works in reverse to remove a person’s access to a system such as not allowing a former employee of a company to access their voicemail.
Companies also need to implement authentication and access control measures to allow them to authorize and make sure the person they are talking to is the person they say they are. In this instance, Docker said companies are increasingly using strong authentication methods such as three-factor authentication to prevent an individual from getting access to a system that they do not have privileges for.
Following auditing, Docker said, companies need to adopt single-sign-on solutions like smart cards that require a user to only enter one password to gain entry to multiple systems.
“Since they don’t have to remember 15 passwords, they can have stronger, longer passwords,” said Docker.
Stronger security methods to protect an individual’s right to privacy are forcing businesses to tackle the delicate balance between useability and cost with security, said Eric Skinner, vice-president of product management and alliances, Entrust Inc. Authentication technology in the last couple of years such as one-time passwords and biometrics has experienced low consumer adoption and is very expensive. Entrust has an authentication product called Identity Guard that it says addresses these issues and is currently being piloted by Commerce Bank in Miami, Fla.
“We can provide authentication at a lower cost than alternatives,” said Skinner. “We can see whether the person is coming in from another machine.”
The software uses various authentication methods to verify a user’s identity, such as an image that the user selects which appears when they log on to their banking site. The solution is also applicable to the enterprise for securing access for remote workers.