The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Friday, May 27, 2005
IT Observer is running an article entitled the Seven Laws of Information Risk Management. All of the rules ring true, in my experience:
IT Observer - The Seven Laws of Information Risk Management:
"1. Your partners and employees will steal from you
You are ultimately responsible for how your employees and business partners access and use your data. Today's information theft debacles are the tip of the iceberg. As globalization and interconnectedness increases without proper vetting and security, employees, customers and trading partners can accidentally corrupt your data or cause regulatory compliance issues through misuse of the data. In the worst-case scenario, they can steal the confidential data and sell it. Information Risk Management technology continuously learns corporate, customer and partner user behavior patterns and alerts to changes in these patterns.
2. Bust up policy barriers
Security, auditing, regulatory affairs and privacy impact the entire organization and should not be kept in departmental silos. People, process and technology must be integrated. A crucial element is that the organization's security executive must have the authority and budget to develop, implement and enforce a holistic information security plan. The mindset of "implied trust" between systems, employees and trusted partners is no longer valid. Information Risk Management technology uses data governance frameworks to integrate business functions, control processes, employee education and cultural values.
3. It's all about privacy
You can't have privacy without security and you can't meet regulatory compliance without privacy. Security is a building block for privacy, which is a major component of regulatory initiatives. For example, CA1386, HIPAA and GLBA in the United States and the Japan Information Privacy Law are primarily about privacy. The fundamental weakness to such laws is they cannot protect your brand, sensitive data, business continuity or financial position against a breach. Implementing a comprehensive information risk management solution helps you achieve privacy and compliance through security.
4. Don't stop working
Effective Information Risk Management should not radically alter work or its flow. Examples are rife of organizations implementing draconian policies that substantially reduce productivity and impair customer service, while providing questionable security benefits. Securing information is fundamentally about protecting data integrity, confidentially and availability at rest and as it moves through the organization and beyond to the value chain. As such, Information Risk Management must protect information "in context" of business processes, decisions and evolving conditions.
5. Don't spend foolishly
You must match the level of Information Risk Management investment directly to the level of risk. Business process owners should determine risk profiles of the organization's data. For instance, customer data has a much higher risk profile than a marketing brochure PDF. The resulting risk management portfolio is an essential guide to selecting the necessary technologies. The next step is evaluating the risk reduction on investment.
For each dollar invested, ascertain the quantitative and qualitative risk mitigated by the technology. Every organization has an optimal risk reduction on investment tipping point.
6. Be afraid - it will happen to you
Expect the unexpected by assigning responsibilities before a privacy breach occurs. Information theft only happening to the "other guy" is just a myth and the chance is greater than 50 percent that it has already happened at your organization. Access to customer demand forecasts, financial records and patents is very valuable, not just to your trusted partners, but also to thieves and harvesters. Protecting against abused authorized user privileges should top the list of priorities. Ernst & Young recently reported that 70% of all security breaches that involve losses of more that $100,000 are perpetrated internally.
7. No silver bullet
There is no single technology that will solve security problems or provide regulatory compliance! Proper planning of how people and processes should leverage technology and enforce business rules and security best practices is key to a successful Information Risk Management strategy. The right Information Risk Management solution should be judged on its vulnerability assessment, monitoring, auditing and deterrence functionality. Also important are global support for heterogeneous databases, compliance reporting and cost efficiency. Remember that Information Risk Management is a process that requires continuous monitoring, auditing and adjustment of how sensitive information is used - not just an initial risk assessment."
Businesses should pay particular attention to "It will happen to you" and then re-read the other six ...
Labels: information breaches
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.