The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.
The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.
For full contact information and a brief bio, please see David's profile.
The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.
This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.
Wednesday, December 07, 2005
In response to a new New York law that requires notification of security and privacy breaches, Cornell University has issued the following media release outlining their plans for compliance:
Cornell complies with new state law on notification about stolen data:
By Bill Steele
If someone hacks into a Cornell University computer and pulls out personal and private information about members of the Cornell community, the people whose data has been compromised will be notified promptly, according to Cornell Information Technologies and the University Counsel's office.
Although the exact procedures have not been worked out, notification would be by ordinary mail, according to Norma Schwab, associate university counsel. E-mail notification, she said, is not legally adequate and might be unreliable, especially in an age when users are bombarded with "phishing" messages with subject lines like "your account has been compromised."
The notification plan is being developed by an ad hoc group called the Data Incident Response Team, which includes members from the Office of Information Technologies, the Office of University Counsel, Cornell Police and the University Audit Office. The group meets periodically to consider data security policy and comes together whenever there is a concern that sensitive data may have been accessed.
The action is in response to a New York state law, the Information Security Breach and Notification Act, passed in August and going into effect Dec. 8. The law requires any business -- including nonprofits -- that maintains personal and private data to provide notification when its systems are invaded and there is a reasonable belief that personal information might have been revealed. The kinds of data involved include Social Security and driver's license numbers and credit card information, and the notification requirement is intended to help consumers fend off possible identity theft.
"It made sense that we should let people know that we are complying with the new law," said Steve Schuster, director of information security. Schuster said he plans to take advantage of the opportunity to make Cornell staff more aware of their responsibilities to protect sensitive data.
"We're still in a state where our data resides in a lot of different areas," he explained. "We all have to take responsibility for it." In other words, sensitive information is not all on one university mainframe, but may also be on ordinary desktop computers in various departments. Schuster plans to require that all new staff members receive a policy and practices briefing -- a short version of the Travelers of the Electronic Highway course required for new students -- before they are issued net IDs. He hopes eventually to set up some sort of annual review of security procedures for all staff. For nontechnical staff, security measures include using strong passwords, protecting those passwords from disclosure and physically securing the computer.
University policies on security are being updated. The venerable Responsible Use of Electronic Communications policy is being expanded as Responsible Use of Information Technology Resources, and it will incorporate policies on data management and security. Data will be broken into three categories: regulated information for which state and federal laws require security, such as Social Security numbers and grades; "Cornell confidential" information, such as salaries and performance reviews; and public data. Security should be tailored to the level of confidentiality of the data. "It will be necessary for departments to inventory where these data reside in their systems," Schuster said.
Despite having very talented people around, higher education institutions are not immune to security breaks, Schuster pointed out. "In the first six months of 2005 there were 72 media-worthy computer compromises in the United States," he reported, "and slightly over half of them were in higher ed. We deal with break-ins here all the time, but we have a really good process in place."
The New York law, patterned on one passed about two years ago in California, was inspired by several incidents in which large corporate databases were compromised. In the most widely publicized case, ChoicePoint, a credential-verifying firm, allowed criminals to obtain personal data on some 140,000 people. At least 15 states have passed similar laws, and legislation is pending at the federal level.
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License.