Companies hoping to save money by not investing in data protection technologies don’t get much sympathy from British Columbia’s information and privacy commissioner.
“It’s one of those things you have to weigh,” Michael McEvoy told the IdentityNorth Spring Symposium on Wednesday. “It’s a bit of a risk assessment — how sensitive is the data? How vulnerable are you? And then think about what would happen if things go wrong, and what the consequences of that would be.”
Even in the B.C.’s multi-million dollar public health sector “my sense was there was a reluctance to invest those funds” in data protection, he said. But “if things go sideways the implications of harm to individuals will undermine the trust that people have in the system.”
In 2021, he noted, Newfoundland and Labrador temporarily had to shut down the provincial healthcare system because of a cyberattack. Lives can be at stake if there’s a breach of security controls, McEvoy pointed out.
Having trouble deciding what to do? Privacy regulators can advise companies on how to measure their security and privacy risks, he added.
He also urged firms to invest in proactive IT security auditing systems to find and plug vulnerable systems and processes before an attack. A program that audits logs after an event is useless, he said.
Last year, McEvoy investigated B.C.’s Public Health Information System — which holds sensitive patient data — and concluded, “very disturbingly, there exists no proactive audit program that would alert authorities to those who try to use the system for nefarious purposes. Neither a malicious attack nor an authorized employee abusing their credentials is likely to be caught in the act.”
“What you want to be doing is get on top of that before things develop,” he told the conference.
Proactive auditing tools are expensive, he admitted. “But where the stakes are very high there needs to be a high investment in securing that information.”
Going into the final 12 months of his term, McEvoy said he hopes B.C. will amend its private sector privacy law to force businesses to report data breaches to his office in some way. Of the four jurisdictions in Canada with private sector privacy laws (including Alberta, Quebec and the federal government), only B.C. doesn’t have mandatory breach reporting. “In this day and age, that is obviously not acceptable to the public, not acceptable to companies who are doing proper work. We want to create a level playing field (with the other jurisdictions). We would expect the government of British Columbia to step forward to ensure that the private sector is covered.”
That may depend on the progress of the proposed federal private sector law C-27 now before Parliament, he added.
McEvoy also approvingly noted that, starting this year, the 2,900 public sector organizations in B.C. (including municipalities and school boards) have to report breaches of security controls to his office. Quebec was the first of the provinces to require this.
On the other hand, he said, Quebec didn’t wait for federal law reform, and recently amended its private sector law. That includes a provision that any firm collecting biometric data (images, fingerprints) has to notify the privacy commissioner.
“Stay tuned for a report that our office will be looking at use, I think, of biometrics in the retail sector with regards to facial recognition technology,” McEvoy added. “You do see oftentimes companies looking at this shiny new technology and thinking about its use, but I don’t think they think deeply enough about it and the implications for protecting the privacy rights of their customers and clients.”
In 2020, the privacy commissioners of B.C., Alberta, Quebec and the federal government joined in a report that censured mall owner Cadillac-Fairview for collecting and analyzing 5 million shoppers’ images without their knowledge or consent.