We reviewed the appropriate safeguards and measures organizations should have in place when transferring customer data to service providers and other third parties based on the recommendations of the Office of the Privacy Commissioner of Canada (OPC) in our Thinking of Outsourcing Your Customers' Data? What you Need to Know Ahead of Time blog post.
In a recently released report, the OPC provides additional guidance on how organizations can protect themselves against insider threats to their customer's data.
The OPC released its findings in a PIPEDA Report (the Report) on December 14, 2020 following an investigation into the Fédération des caisses Desjardins du Québec (Desjardins) after a major security breach.
It is clear from the Report that in order to meet its obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), an organization must protect itself from both external and internal security breaches.
Internal breaches are often harder to guard against than external security breaches as they can involve both intentional and accidental breaches.
The Desjardins Security Breach
In May 2019, Desjardins notified the OPC of a security breach. A subsequent investigation revealed that a malicious Desjardins employee who collected customer personal information over 26 months committed the breach. The employee did not have access rights to the personal information but instead accessed the data when other Desjardins employees moved confidential information to a shared drive. The employee then moved the personal information onto his work computer and USB drives.
The breach affected close to 9.7 million people in Canada and abroad, and 12 individuals filed complaints with the OPC.
The OPC's Analysis
In the Report, the OPC considered whether Desjardins met its accountability requirements for the personal information it collected from customers. PIPEDA Principle 4.1 requires that an organization be responsible for personal information under its control, while PIPEDA Principle 4.7 requires that security safeguards are in place to protect information, appropriate to the sensitivity of the information. To meet these principles, organizations must implement physical, organizational and technological measures.
The OPC determined that Desjardins ultimately had insufficient protections in place and provided further guidance on what steps organizations must take to protect customer's personal information from internal security threats.
Appropriate Safeguards and Measures
The OPC asserts that organizations can take measures to combat internal security threats in the following five areas:
- Security Screening and Confidentiality Agreements;
- Organizational Policies and Procedures;
- Employee Training and Awareness;
- Access Controls and Data Segregation; and
- Oversight and Monitoring.
The OPC reviewed the measures Desjardins had in place in each area and found the following:
- Security Screening and Confidentiality Agreements: Desjardins conducted security screenings before hiring employees and had employees sign a confidentiality agreement. The OPC found these measures to be acceptable.
- Organizational Policies and Procedures: Desjardins had a number of directives, policies and procedures in place for the protection of personal information, but some were incomplete and had not been implemented effectively.
- Employee Training and Awareness: Desjardins provided each employee with onboarding training, including nearly four hours of training on the protection and security of personal information, and held ongoing training and awareness programs. However, Desjardins did not provide any indicators to demonstrate that employees understood the content of this training. The actions of the employees with legitimate access to the personal information in question demonstrated that they were not following procedures and policies.
- Access Controls and Data Segregation: the OPC found that the improper storage of personal information by employees, contrary to the policies, demonstrated that proper access and data segregation were not being implemented. This was particularly the case as authorized users could move restricted data to unrestricted storage areas.
- Oversight and Monitoring - at the time of the breach, Desjardins's practice limited itself predominantly to passive measures and the company's system did not detect the breach on its own (Desjardins was notified by the Laval police department). The OPC found that passive systems alone were not enough to meet Desjardins's privacy obligations since the breach involved high volumes of sensitive customer personal information.
Key Takeaways for Organizations
In light of the Report, organizations should take the following steps to ensure that they are meeting their privacy obligations:
- Ensure that employees are following policies and procedures on an ongoing basis.
- During training, require employees to demonstrate that they understand the policies.
- Frequently review whether employees are following procedures and policies.
- Ensure that access controls do not permit for restricted information to be easily moved to more widely accessible domains.
- Implement active monitoring systems such as a data loss prevention (DLP) solution and other ongoing monitoring mechanisms (particularly for organizations which handle highly sensitive personal information).
- Implement appropriate personal information retention and destruction policies and have mechanisms in place to ensure that they are followed.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.