In Canada, both the public and private sectors are governed by privacy legislation. Personal information privacy is recognized as an essential element in maintaining public trust, making it extremely important for all regulated organizations to be diligent. Even so, privacy breaches continue to pose a concern for a variety of reasons. Here, we will outline five primary causes of privacy breaches along with some mitigation tips.

What is a privacy breach?

A privacy breach whenever there is unauthorized access, modification or disposal of personal information. There are two general categories of privacy breaches sit: internal unauthorized access (think: an employee sending a private file by accident) and external unauthorized access (think: hacking). In either case, there are a variety of reasons why a breach may occur. Here are 5 of the most common:

1.     Theft, Loss, or Disappearance of Equipment or Devices

Despite best efforts to keep equipment safe, thefts and losses happen. When a theft or loss happens with equipment or devices that contain personal information, it is considered a privacy breach. Equipment or devices containing personal information should always be stored safely, for instance, placing a laptop into a locked drawer when not being used.

2.     Sale or Disposal of Equipment or Devices

The second common cause of privacy breaches is a failure to properly wipe data prior to the sale or disposal of equipment or devices that contain personal information. Before equipment is sold or disposed of, all personal information should be purged.

3.     Internal “Snooping”

Employees often need to collect, use and disclose personal information of clients, customers or other employees to do their jobs – but only the least amount required by their particular jobs.  When employees access personal information not relevant to their work, this is a privacy breach often called “snooping.”  Restrict employee access to files and documents both online and physically to only those who will need the information and monitor all access events.

4.     Privacy Awareness and Training

Low levels of privacy awareness and training among employees puts information at risk for privacy breaches. Employees should be trained on proper data and equipment use, as should contractors, or other third parties that handle personal information.

5.     Phishing

Phishing is a common scam where someone will send an e-mail attempting to mimic a real organization or person and direct the user to an unsafe website. Phishing, or other deceptive tactics like this, aims to trick individuals into providing their personal information on these fake websites. In the same realm as phishing, are hacking attacks and malware, both deceptive practices used to access personal information.

Here are some of the most important steps you can take to prevent a privacy breach:

  1. Develop and follow security policies and procedures that meet legislative and industry standards (e.g. ISO 2700). In particular, make sure you have a Privacy Breach Protocol in place.
  2. Conduct Privacy Impact Assessments (PIAs) and Threat and Risk Assessments (TRAs) using provincial or federal frameworks, which are often made available by regional Information and Privacy Commissioners.
  3. Before entering any information-sharing or service provider agreements, ensure that their provisions address all privacy and security risks such as control of personal information and implementation of security measures.
  4. Ensure that employees know your privacy and security policies and know how to identify and report a breach. Provide regular and ongoing training to employees, as well as managers and executives.  Some threats like phishing scams are often changing and evolving, and human error happens. Training can be forgotten quickly if not reinforced.
  5. Ensure any personnel that is working off-site is aware of their privacy and security responsibilities.
  6. Report privacy breaches to the appropriate Information and Privacy Commissioner’s office. In many instances, this is a legislative requirement. Yes, they are regulators, but they are invaluable sources of support and assistance when a troubling breach event occurs.

Privacy and security breaches can be costly to organizations in many ways. Examining and managing information security properly will help lower your risk. 

Take the first step towards understanding your Privacy and Information obligations while reinforcing confidentiality within your workplace by contacting us today! Cenera’s Privacy and Information Management professionals are committed to providing outstanding data governance and security strategies, policy development support, and privacy training.

Book your complimentary consultation! 

P: 403.290.0466
E: contact us

 

Sources:

https://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=26154