Due to the global pandemic brought to you by COVID-19, businesses and organizations are shifting their operations to home work environments. Meanwhile, opportunistic cyber criminals are capitalizing on the coronavirus to roll out a series of new scams to collect sensitive information and steal money.
Widely reported examples include cyber criminals mimicking reputable organizations such as the World Health Organization or public health authorities to trick users to give up their email and password credentials, or to download malicious software enabling the attacker to gain access to the organization’s computer systems. Cyber criminals are also mimicking tax authorities and inviting individuals to click on a link to download fake refunds in the wake of recent economic relief efforts.
No business or organization wants to be featured in the front page news as the most recent cyber victim, or have to notify its clients or customers of a security breach. We briefly highlight what your organization should be doing to safeguard your system and the personal information during your work from home protocol, your organization’s statutory responsibilities in this regard, and provide an example of how inadequate security safeguards increase the risk of cyber-attacks and adverse decisions.
Statutory Obligations to Safeguard Personal Information
Businesses and organizations have a statutory obligation to ensure that their information is safeguarded at all times, including while accommodating remote working arrangements.
Private companies in British Columbia must at all times comply with the Personal Information and Protection of Privacy Act, SBC 2003, c.63 (“PIPA”). PIPA requires organizations to use reasonable physical, administrative and technical safeguards to protect personal information from unauthorized access, collection, use, disclosure, copying, modification or disposal or similar risks.
Private companies located outside of British Columbia or in a province or territory that does not have its own substantially similar privacy legislation, and federally regulated organizations, such as radio and television broadcaster and inter-provincial transport companies, must comply with the Personal Information Protection and Electronic Documents Act, SC 2000, c.5 (“PIPEDA”). PIPEDA requires businesses to, among other things, use security safeguards that are appropriate to the sensitivity of the information to protect personal information.
If you are a public sector organization in British Columbia, such as a university, school, municipality, provincial government, or a self-governing regulatory body, you are governed by the Freedom of Information and Protection of Privacy Act (“FIPPA”), also known as FOIPPA which also requires organizations governed by that FIPPA to protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.
Risks posed by inadequate safeguards and phishing attacks
The Office of the Privacy Commissioner of Canada’s (“OPC’s”) public report of findings into its investigation of the security safeguards of the World Anti-Doping Agency (“WADA”), demonstrates the risks that inadequate security safeguards pose to both individuals and organizations with respect to phishing attacks.
On August 4, 2016, WADA was the subject of a spear-phishing campaign in which e-mails were sent to its employees purportedly from its Chief Technology Officer. As a result, three employee e-mail accounts were compromised. Shortly thereafter, the attackers were able to access the Anti-Doping Administration and Management System (“ADAMS”).
In total, the personal information of 11,837 athletes’ were accessed by the attackers. The attackers published the personal information of 127 athletes of different nationalities online, including their name, nationalities, date of birth, gender, sport and highly sensitive personal information about prohibited substances and underlying medical conditions. WADA subsequently issued a press release confirming the breach and notified all athletes whose information was published online.
The OPC found that although a number of technological, physical and organizational safeguards were put in place by WADA to protect personal information, they were not sufficiently robust to protect personal information of such a highly sensitive nature. Inadequate safeguards in the following areas either directly or indirectly impacted the unauthorized access and disclosure of personal information:
- Access controls: Password rests for new accounts were not an obligatory practice and new passwords were not set to expire after a certain period of time. WADA did not require two factor authentication to access ADAMS, which would have been an additional security barrier to prevent unauthorized access. There was also no system to flag or notify users with respect to atypical account activity.
- Monitoring and logging: WADA’s ability to detect anomalies and intrusions in ADAMS and analyze logs from it were inadequate. Although WADA procured more robust logging and analysis tools following the attack, they were ineffective because they were not adequately configured while the attack occurred.
- Policies, procedures and training: WADA had inadequate policies and procedures in place to give effect to the Information Security Corporate Policy it had in place. They did not have an adequate privacy breach response plan in place to ensure a quick, effective and orderly response to the breach. WADA did not have a documented risk-management framework to determine which security measures would be appropriate for the risks it faced. There was also little evidence of WADA communicating to its staff, through training or other means, information about security awareness.
- Encryption: Although WADA used encryption to protect data when it was being transmitted, they failed to encrypt data at rest in ADAMS. As a result, such data was vulnerable in the event their network was compromised.
The OPC recommended a variety of measures to augment its security safeguards and protect the security of the sensitive personal information under its control. WADA entered into an agreement with the OPC and agreed to fully implement the recommendations.
Tips for safeguarding personal information
The recent spike in phishing attacks and scams due to COVID-19 makes it more important than ever for organizations to consider their obligations as custodians of personal information and ensure adequate safeguards are in place to prevent and respond to phishing and other cyber-attacks. Businesses and organizations are dealing with enough challenges right now, and the last thing they need is to deal with a cyber breach and the federal or provincial privacy commissioner.
The Office of the Privacy Commissioner of British Columbia provided several recommendations to protect personal information when employees are working from home, including:
- Encrypt any electronic devices that store personal information including home computers, USB drives, laptops and cellular phones;
- Employees should not use their personal e-mail as a means to transfer personal information for work related purposes;
- Employees should logoff or shut down their laptops or home computer when they are not in use.
Employees should not share a laptop used for business purposes with other individuals, including family members. If employees are allowed to use their personal computer for work- related purposes, then organizations should partition each device with containers using mobile device management software to ensure information used for business purposes does not flow in the container for personal computer use and vice-versa.
Mobile device management software can also be used to remotely lock, access, erase data or retrieve backups as necessary. For more information on “Bring Your Own Device” programs, review the guidelines issued by the OPC.
Other useful tips for safeguarding personal information while implementing a work from home protocol include:
- Ensuring employees are trained to identify and report potential scams such as phishing.
- Ensuring employees regularly change the passwords they use to access online services.
It is important to build awareness within your organization about the increased risk of scams and phishing as a result of COVID-19. Employees should appreciate that they are obliged to report any cyber breach or potential breach without delay so that your business and organization can mitigate and manage the resulting risks, and obtain advice on their statutory obligation to report to the appropriate Privacy Commissioner.
If there was ever a time to ensure that your organization has a privacy breach response plan that prepares you for a quick, effective and orderly response to a breach, it is now. It is advisable to include a lawyer as part of your response team: this not only ensures timely legal advice on issues such when to report the matter to the applicable privacy commissioner, but also allows your organization to maintain solicitor-privilege over the forensic investigation and certain response steps which is important if claims or complaints arise. For further inquiries about these issues, or assistance with a privacy breach response plan, kindly contact Karen R. Zimmer at firstname.lastname@example.org or 604 484 1762, or another member of our Information + Privacy Practice Group. Keep well and stay safe.
This is the second of a four part series on complying with your statutory privacy obligations during the COVID-19 global pandemic. In the third and fourth part of this series, we will address the characteristics of an effective privacy breach response plan, and privacy concerns with respect to using certain online video-conferencing platforms. The first part of this series can be found here: Permissive Disclosure of Personal Information in the midst of the COVID-19 Crisis.