Thus began, the “Effectively Partnering Information Security and Privacy” presentation to the York Technology Association (YTA) members at their monthly luncheon at the Sheraton Hotel in Richmond Hill on Thursday November  26th, 2009. The same topic had been presented a month earlier as part of the Toronto Board of Trade’s Advanced Business Fundamentals series on Wednesday October 28th, 2009. With a variety of businesses represented, ranging from banks, integration specialists, insurance companies to government agencies, the presentation was kept at a high level.

The presentation started with an overview of the implications of rapidly changing technology and how this has “changed and challenged our existing paradigms on the way we view personal information and privacy”. One of the more disturbing statistics presented was that “ last year, the FBI reported that for the first time ever, revenue from cybercrime had exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping in more than $1 trillion annually in illegal profits.” The presentation highlighted the need for employees to be treated as clients in order to become engaged with privacy and security initiatives. “Employee indifference is the #1 vulnerability facing companies today with respect to protecting their information assets”, according to Julius.

By the time it ended with the “busting of privacy management myths”, it was evident that the audience left asking for more, if not asking questions about their own privacy and information security initiatives.

YTA members are at the forefront when it comes to obtaining information, insight and action on matters of importance in the technology cluster. Since 1982 the YTA has been a strong voice for everyone in York Region’s tech cluster - supporting business developers, innovators, suppliers, and providers.

For more information on the YTA,  visit http://www.yorktech.ca/

“We have seen a storm of protest and outrage over alleged privacy violations and my Office also has questions about how Google Buzz has met the requirements of privacy law in Canada,” Commissioner Jennifer Stoddart said in a statement.

The privacy issue surrounding Google’s Buzz, a “Twitter”like social networking tool, is that it publicly reveals the most-used contacts of users by assigning a network of “followers” based on the people with whom they communicate with most often via Google’s e-mail and chat services. The list of “followers” is included in a widely available online profile unless users switch to a hard-to-locate setting. Furthermore, there is no method to completely “opt out” after enrolling in Google Buzz. It only disables use by the opted out user; leaving connections to users which were following them intact.  Adding fuel to the fire, users have to manually block people each time a new person follows them whom they would prefer not to.

Although the Commissioner expressed disappointment that, despite the clear and significant privacy implications, the California-based corporation failed to consult her Office prior to unveiling Buzz in Canada. Google company spokesman, Wendy Rozeluk, said in an e-mail that Google has an “open line” with her. “We had an in-depth discussion with her about how Google Buzz works and about the changes we made. We’re always happy to hear from privacy commissioners in Canada and in other countries,” Ms. Rozeluk said.

And that’s the Buzz.

For more, visit:
http://www.theglobeandmail.com/news/politics/privacy-czar-takes-on-google-buzz/article1472028/
http://www.priv.gc.ca/media/nr-c/2010/nr-c_100217_e.cfm

prag⋅ma⋅tism: n., A practical, matter-of-fact way of approaching or assessing situations or of solving problems.

Privacy in the 21st century needs to be approached with “radical pragmatism”. This according to Ann Cavoukian, Information and Privacy Commissioner of Ontario (IPCO), in the IPCO anthology paper titled, Privacy and Radical Pragmatism: Change the Paradigm, recently released in an anthology of her office’s works, Privacy By Design … Take the Challenge. The anthology highlights the IPCO’s vision, philosophy and approach toward advancing information privacy. She stressed at an IAPP Knowledgenet presentation on October 20, 2009 that “most privacy breaches remain undetected – as regulators, we only see the tip of the iceberg; the majority of privacy breaches remain unchallenged, unregulated – unknown. Compliance alone, is unsustainable as a model for ensuring the future of privacy; for that, we must turn to measures such as Privacy by Design: the Gold Standard – embedding privacy proactively into the core.”

‘“Radical” pragmatism (radical used here in the sense of “far-reaching” or “thorough”) is the embodiment of a positive-sum paradigm, involving taking a practical approach, and invoking the need for transformative technologies.’  Furthermore, the paper defined:

Positive-Sum Paradigm + Privacy-Enhancing Technology = Transformative Technology

Taken by its own, this definition could be quite a mouthful, however, these concepts are explained in the paper.

“A Positive-Sum Paradigm describes a situation in which all participants may mutually gain together (win-win). Conversely, a Zero-Sum Paradigm describes a concept or situation in which one party’s gains are balanced by another party’s losses – win/lose;either/or; enhancing security often comes at the expense of privacy – the more you have of one, the less you can have of the other” , stated Ann in her presentation to the IAPP.

Contradicting the view that achieving privacy objectives, comes at the expense of operational efficiency, usability, innovation or other desired business goals, the positive-sum paradigm does require that privacy be built into systems or procedures from the outset, thereby, introducing the IPCO mantra of “Privacy by Design”. Privacy factors when properly considered during the initial design, are typically easier to get buy-in and resources. Conversely, having to retrofit a solution will typically be met with more opposition and require more effort to implement. The IPCO paper suggests that failure to understand the “Privacy Payoff” is a factor for this short sightedness:

1. Consumer trust drives successful customer relationship management and lifetime value … in other words, revenues
2. Broken trust will result in a lost off market share, loss of revenue, and lower stock value.
3. Consumer trust hinges critically on the strength and credibility of an organization’s data privacy policies and practices

Thankfully, by utilizing Privacy by Design foundational principles, “the effect is a minimization of the unnecessary collection and use of personal data by the system, while at the same time, strengthening data security, and empowering individuals to exercise greater control. This can result in technologies that achieve strong security and privacy, or privacy and functionality, delivering a “win-win” outcome”, maintained Ann in her presentation.

Privacy-enhancing technologies (PETs), defined as “coherent systems of information and communication technologies that strengthen the protection of an individual’s private life in an information system by preventing unnecessary or unlawful processing of personal data or by offering tools and controls to enhance the individual’s control over his/her personal data”, when used, provide the dual benefit of users having maximum control over their personal information and little to no impact on system functionality and performance; further supporting the positive sum paradigm’s win-win scenario.

Developing these types of technologies with a positive-sum paradigm mandate are what the paper describes as a “transformative technology”. Transformative in the sense that it converts a typically privacy-invasive feature of the technology into a privacy-protecting one. The paper goes on to give examples and full descriptions of some of these types of technologies, such as bioemetric encryption, clipped tag RFIDs, CCTV image encryption, whole body imaging etc.

Given the rapidly changing technological and social currents affecting privacy, viewing privacy as merely a compliance activity is akin to simply treading water. With the level not only being raised but shifting continually, a radical privacy pragmatism is required to ensure that privacy is kept in its proper perspective.

The results were based upon nine focus groups from across Canada  with over 600 responses from Canadian IT security professionals employed by Canadian companies with over 100 employees. The study also compared the satisfaction levels for company IT security postures which were dependent on a number of factors including budget levels,  organization type, awareness training, outsourcing mandate and technology adoption, to name a few. The report is available at www.telus.com/securitystudy, along with the IT Security Assessment Tool used by the respondents.

Overall Breach Costs have risen

The trend should not come as a surprise, however, the study showed that “For Canadian owned companies the average annual loss $397,887, for U.S. owned companies doing business in Canada the average annual loss is $499,859 and for organizations doing business in Canada with headquarters in Europe, South America or Asia the average annual loss due to breaches is $449,950.Annual loss for a private company is $293,750, for publicly traded companies the average annual loss is $637,500 and government it is $321,429. These figures compare to the average loss per respondent in the U.S. CSI survey at $345,000 in 2007, up substantially from $167,713 in 2006.”

Although the average number of breaches reported annually in Canada has almost quadrupled to 11.3 between 2008 and 2009, the average single breach cost is significantly lower. This can be attributed partially to the fact that organizations have improved their ability to detect security events and are also improving their response to breaches, thereby, lowering individual breach costs.

Canadian companies reported equivalent or higher amounts of breaches as their southern neighbour in 2009, however, insider breaches almost doubled and are now comparable to USA numbers. “In 2008, 17% of Canadian organizations reported breaches related to insider activity, while the USA statistic was about 60%. In 2009, this has increased to 36% in Canada and decreased to 44% in the USA, based on the latest CSI survey.”

Supporting this trend, the 4 fastest rising breach categories were:

1.       Unauthorized access to information by employees (increased 112%)

2.       Bots within an organization (increased 88%)

3.       Financial fraud (increased 88%)

4.       Theft of proprietary information (increased 75%)

Another subtle difference is the extent to which security is linked to personal performance evaluation. About  40% of Canadian respondents indicated that security is part of their personal performance evaluation, whereas this number was 50% in the U.S., compare this to 85% in Europe and Asia!

The study showed that although Canada has caught up with the U.S. in terms of security investment due to compliancy requirements for regulations, such as PCI and PIPEDA . “This catching up has come at a cost: organizations have not developed the skill sets and organizational maturity required to fully leverage their investment”, according to the study.  ”Generally speaking, the maturity of compliance programs in Canada lags that of the U.S., and this is reflected in lower tendencies to measure security performance, communications related to risk and security, and attitudes towards accountability.”

“Flash cookies”, officially termed “local shared objects” (LSO) were introduced as a feature of Adobe’s Flash MX technology, now commonly used by popular web-sites. Its primary use was meant for caching and saving settings. However, it is the use as a user tracking mechanism which has opened it upto privacy investigation. Compared with traditional HTTP cookies, flash cookies have the advantages of much larger storage sizes (100+ vs. 4 Kb), no expiration dates by default and inconspicuous storage location. For these reasons, they have become widely used to track user activity for behavioral advertising.

With the growing concern over online consumer privacy, US federal regulators are considering implementing rules focused on users’ ability to avoid tracking. Flash cookies, however, have not yet entered into this discussion. Means to review, control creation or delete these objects are almost as inconspicuous as the cookies themselves. Adobe provides a Flash Player Settings Manager web-page to manage the privacy settings for sites that contain SWF or FLV content or run the Flash Player application. Typical browser settings, which control standard HTTP cookies, do not yet maintain Flash cookies but thankfully add-ons, such as Mozilla Firefox’s BetterPrivacy 1.29, are available to provide a user-friendly interface to manage them. Of important note from the UC Berkley report, the vast majority of sites displayed no functionality issues after third-party Flash content was disabled, however, 9 of the tested sites would not display Flash content.

The UC Berkley study was conducted on the top 100 ranked web-sites to determine whether they were using Flash cookies and the privacy implications associated with their use. Almost a third of the sites utilizing Flash cookies seem to be replicating information in standard HTTP cookies. Interestingly, 14 of 31 sites, which carried the TRUSTe Web Privacy Seal, employed Flash cookies. Meanwhile, only 4 of the sites mentioned the use of Flash in their privacy policy, as a mechanism used to track user habits. In addition, one site when tested for its interaction with the Network Advertising Initiative (NAI) opt-out cookie, regenerated an HTML cookie even after the opt-out cookie was set. It is evident that though there are certainly great benefits gained by using Flash cookie technology, there is currently a lack of accountability, appropriate notification and opt-out mechanisms available to users.

Google Opt Out Feature Lets Users Protect Privacy By Moving To Remote Village

Effective Privacy Risk Management is an organization’s ability to proactively manage both risks and opportunities towards achieving a desired/optimal state. To identify privacy risks, one must be able to systematically assess the threats and vulnerabilities that can jeopardize the privacy of Personal Information (PI).

This course presents a practical Threat and Risk Assessment (TRA) methodology applicable to any privacy or security situation, with examples and exercises relevant to people, processes, and technological environments.

Course Outline

* Understand the TRA requirement
* Set the scope of the assessment
* Identify assets containing PI
* Assess potential threats
* Examine existing and proposed safeguards
* Determine remaining vulnerabilities
* Calculate residual risk
* Recommend an appropriate response
* Determine risk treatment plan

2 Days Course
October 1 - 2nd, 2009

Please Click for further details

On Wednesday July 29th 2009, we will be hosting a Privacy and Data Protection Seminar at the Toronto Board of Trade.  Our special guest speaker will be Anita Fineberg, LL.B. who is a very dynamic speaker, course leader and trainer and has spoken at privacy conferences and workshops around the world.  She holds a B.A. (Hons.) degree in psychology from Queen’s University and an LL.B. from the University of Toronto.  She holds a CIPP/C Certification from the International Association of Privacy Professionals.

During this session we will discuss the evolution of privacy and security activities within businesses, and highlight important trends of which businesses must be aware.  We will define and discuss the Privacy and Security roles, responsibilities, and company challenges, as well as business processes that are most impacted by Privacy and Security processes and initiatives.

Privacy Strategy. We will discuss effective privacy strategies and the business impact of privacy, including common regulatory and compliance issues. We will describe key privacy issues to address within any type of organization.

Information Security Strategy. We will discuss effective Security strategies and the business impact of security, such as those relating to risk management and regulatory compliance. We will provide a practical method of incorporating industry best practices (ISO 27001, COBIT, CSA) into any organization.

For more information and registration. Download the attached PDF here.

Eosensa is pleased to join the International Association of Privacy Professionals (IAPP) as a corporate member.  The IAPP is responsible for developing and launching the first broad-based credential granting program in information privacy, the Certified Information Privacy Professional (CIPP). Says Julius Azarcon CIPP/C, “Although myself and other Eosensa staff have been members of the IAPP for many years,  we felt it was important that as an organization Eosensa engages with the IAPP to demonstrate our commitment to the growth of privacy best practices.”www.privacyassociation.org

Certified Information Privacy Professional/Canada (CIPP/C) is the first professional credential to be designed by Privacy Professionals for Canadian privacy professionals and is offered exclusively by the IAPP.

Please visit the IAPP for more information.