Legal threats over data breaches come as government ponders new ways to secure information, Jan 2013
Federal department bans use of portable devices after personal data breach, Jan 2013
No longer does a week go by without another serious data breach being reported by the news. What implications do these data breaches have for members of both CMA and CGA Alberta? To answer this question, there are four key issues that we need to focus on:
- Are current digital communication methods used to exchange information with your clients, stakeholders and business colleagues inadvertently contribute to data breaches and promote identity theft?
- How the failure to comply with current and emerging electronic privacy laws can result in serious consequences.
- How increased awareness of e-Privacy standards amongst the clients that you serve can result in you losing their business and their trust.
- How industry standards and viable technology solutions can address potential problems.
In considering the issues above, we need to understand the root cause of a data breach and identity theft. The vast majority of breaches occur because sensitive information was not encrypted. Encryption is defined as the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but authorized parties can.
Are current digital communication methods used to exchange information with your clients, stakeholders and business colleagues inadvertently contribute to data breaches and promote identity theft?
The answer unfortunately is still yes! Although there are some shining examples of CGA and CMA members encrypting their digital communications, the majority are still using e-mail, fax and unencrypted thumb drives to disseminate sensitive information which includes tax returns and other forms of sensitive information. The focus here will be e-mail.
The use of e-mail is systematically contributing to the data breach and identity theft problem. Why is the case? Using e-mail is just like sending a postcard over the Internet. E-mail is not encrypted. Even worse, as e-mail traverses the Internet it can leave copies of itself and its attachments on any e-mail server that it encounters. Anyone who has access to those servers or deploys an e-mail sniffer may for example, read the contents of your client’s tax return. Information such as a SIN number, birthdate or an address can be used to steal your clients’ identity. The risk here is enormous and the consequences of a breach could significantly damage the reputation of the accountant and the organization.
How the failure to comply with current and emerging electronic privacy laws can result in serious consequences.
The volume of Canadian data breaches being reported has led to significant hardening and enforcement of provincial electronic privacy law with Alberta taking the lead. New provincial privacy laws such as PIPA (Personal Information Protection Act of Alberta) have emerged that require the use of technical safeguards (encryption of sensitive information) and are now being enforced by levying fines against offending companies and making the violation a matter of public record. This goes hand in hand with mandatory data breach reporting which went into effect in May 2010.
Alberta has also implemented a streamlined process for an individual or company to report a privacy violation to the Office of the Information and Privacy Commissioner of Alberta which has serious ramifications for the offending company. The privacy violation could be as simple as a client receiving an e-mail containing sensitive information such as a tax return or financial statements. The client’s recourse is as follows:
- The client fills out a readily available electronic complaint form and submits it to the Office of the Information and Privacy Commissioner of Alberta.
- The privacy commissioner’s office will phone the offending firm to ensure that they put safeguards in place to prevent the violation from recurring.
- If safeguards (e.g. encryption) are not in place after approximately 45 to 90 days, a privacy officer or adjudicator can fine the offending company and make the complaint public on their website. A formal inquiry will now take place and may involve a privacy audit of the offending firm.
How increased awareness of e-Privacy standards amongst the clients that you serve can result in you losing their business and their trust.
You’re current and future clients have also been exposed to the data breach headlines. This has had the effect of educating them and increasing their e-Privacy awareness. This increases the likelihood of them asking their accountant about how their digital information is being protected. Such questions may include, is my information encrypted? How long does it live? Who has access to it? It is inevitable that accountants are going to have to come up with sensible answers which are going to put pressure on them to provide a solution. Simply put clients that have been e-Privacy educated, will potentially leave accountants who put their information at risk.
Mandate standards and viable technology solutions to address the problem.
Now that the “e-mail” problem has been clarified, it is critical to understand how to address it. Accounting professionals need to be better informed on the risks of using conventional digital communication methods as well as understanding their electronic privacy obligations. This includes assessing liability and potential loss of reputation if a breach occurs. Viable technology alternatives need to be considered to replace e-mail for sensitive communication and be deployed as soon as possible.
It is my opinion that a cloud based solution that has appropriate safeguards is the most practical choice as it leverages the web without having to install software and can be very quickly deployed. Furthermore, cloud solutions can present other features that are not in e-mail which can be made available to give the sender better productivity and control of their information; this would include message recall if it has been sent in error and message expiry. Productivity comes in the form of message tracking and unlike e-mail, imagine that one knows with 100% certainty that the recipient picked up your message and downloaded your files.
CGA and CMA Alberta are helping their members by partnering with www.e-courier.ca, one of Canada largest cloud based secure e-mail and client file portal providers, with the goal to provide a safe and viable alternative for its members that can be used for sensitive communications. It is also my hope that new membership policy and guidelines will be contemplated and introduced in the very near future that mandate the non-use of e-mail for certain types of sensitive information such as tax returns and financial statements.
As mentioned above, there are some shining examples of members and their respective firms who have secured their electronic communications. Given the risks at stake it is prudent and imperative that other members follow their example.
Eric Gold
C.E.O & Founder
http://e-courier.ca
Secure file and message transfer made simple
Office: 604.261.4631
Mobile: 604.868.1221
Email: eric.gold@e-courier.ca
