Some people believe that in an age of Facebook, Foursquare and Twitter, we should give up all our expectations of privacy. While I agree that I’ve been shocked by the amount of personal information that people share (sometimes even how much I share), I still believe that organizations need to have the right technologies, policies and training in place to protect abuse of personal and sensitive data.
In a wilful privacy breach in 2011, a clerk at British Columbia’s insurance bureau (ICBC) accessed customer data in order to intimidate employees of another organization. One of the victims has launched legal proceedings against ICBC for failing to have suitable data protections in place. ICBC is a sort of universal automobile insurance organization in BC – everyone who wants a driver’s license there must get their insurance via this organization, so their data collection covers most adult BC residents.
Annette Oliver isn’t just worried about sensitive information being made public, but about how that data was used to terrorize her family and co-workers.
Annette Oliver alleges in her lawsuit that her husband’s van was torched on April 17, 2011, at about 2 a.m., which police believe was an arson.
Then on June 1, 2011, Oliver claims, she was at home when she heard three loud bangs at about 5 a.m. and discovered three bullet holes in the front of her house.
Oliver says her husband and two daughters were home at the time.
This wasn’t an isolated case: others had their cars burned and homes shot.
Three months later, on Dec. 14, 2011, the RCMP revealed the investigation had found a link to an ICBC employee, who allegedly accessed personal information of 65 people, including 13 identified as victims who were targeted.
ICBC said at the time the employee under investigation was a woman who had been at ICBC for 15 years before she was fired in August 2011
It appears from the lawsuit that ICBC did not use monitoring technologies to monitor access. Or that they weren’t using them correctly. I’m always surprised by organizations that steward customer data and don’t do much to properly care for that data. We’ll see in the end whether or not ICBC had suitable protections.
Myths about Data Protection
- Data privacy breaches don’t really hurt people. This one makes me mad. Even something less physically harmful like having their identities stolen can cause years of trouble for your customers, not to mention great financial harm. But data breaches can and do physically harm people.
- Data privacy is about secrecy. No, data privacy protection is about controlling the usage of data for only the reasons for which it was collected. Among other things.
- If the data is available elsewhere, it doesn’t need to be protect in our database. No, IT professionals still have a duty to protect personal and sensitive data in their care.
- Data wants to be free, so we shouldn’t control how it’s used within the organizations. Yeah? My cats want to be free, too. And we still don’t let them outside.
- Data protection is just a technology issue. Data protection is just a training issue. Data protection requires technological, process and people-based solutions.
- Encryption is all we need to do. No, because if people can read the data or download it, it’s not encrypted any more. Encryption helps when people walk away with the data. But people who use the data don’t see encrypted data.
- Data privacy requirements can be applied after the system goes into production. This one drives me crazy. Data protection requires effort at all phases of a project. There architectural, design, development, deployment and maintenance components to be addressed. There are policy and procedures to be developed. There is monitoring and alerting to be practiced.
You know my mantra. Love your data because it’s not really yours. You have a professional duty to ensure it’s safe.
Read the full story at Metronews