Appearance before the Standing Committee on Public Safety and National Security (SECU) on Cybersecurity in the Financial Sector as a National Economic Security Issue

April 3, 2019
Ottawa, Ontario

Opening Statement by Gregory Smolynec
Deputy Commissioner, Policy and Promotion

(Check against delivery)

---

Good afternoon Chair and members of the Committee.  Thank you for the invitation to speak to you today.  I am grateful for the opportunity given your study touches on issues with which Canadians, and the Office of the Privacy Commissioner (OPC), are seized. 

I will reiterate the concerns I voiced when I appeared before the Standing Senate Committee on Banking, Trade and Commerce on its study of Open Banking:  the financial sector must be built upon a foundation that includes respect for privacy and other fundamental rights at its core.  Banks and other financial institutions must have robust standards for both cybersecurity and privacy.

It is important to clarify the difference between a privacy breach and a security breach as the two terms are often used interchangeably.  A security breach is any incident that results in unauthorized access of data, applications, services, networks and/or devices by bypassing their underlying security mechanisms.  A privacy breach is the loss of, unauthorized access to, or disclosure of, personal information, regardless of the means.  A privacy breach is broader, and can occur without any compromise of security systems.

And this is the challenge:  cybersecurity and privacy have some overlap in that the former can help protect the latter, but in some cases, cybersecurity can create risks for privacy.  For example, it is vital to ensure that cybersecurity strategies and activities do not lead to the development of massive surveillance regimes for unlimited and unending monitoring and analysis of the personal information of individuals.

Both the public and private sectors have obligations to report breaches.  Under the public sector Privacy Act, that obligation resides in Treasury Board policy, which requires that OPC officials be notified of material privacy breaches.  A breach is “material” if it involves sensitive personal information, could reasonably be expected to cause harm or involves a large number of individuals.  On the private sector side, PIPEDA requires organizations to report breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals.  Organizations must notify affected individuals about those breaches, and keep records of all breaches.   

An example of a high-profile privacy breach is the World Anti-Doping Agency (WADA) case.  As a result of a phishing attack in 2016, WADA’s database containing extremely sensitive personal information of athletes was compromised by Russian military intelligence operators who subsequently released some of this data into the public domain, with the threat to release more.

In our WADA investigation, we concluded that cybersecurity measures should be proportionate both to the sensitivity of the personal information being protected and to the attractiveness of the information to malign actors.  This reasoning also applies to cybersecurity in the financial sector.  The Supreme Court of Canada has ruled that financial information is indeed sensitive.  Other major breaches in recent memory have been those concerning Equifax, Ashley Madison and the Phoenix pay system.

Privacy breach reporting in the private sector has been mandatory since November 1, 2018.  Since then, we have seen approximately a four-fold increase in breach reports from the private sector.   With six months of private sector data breach reporting under our belt, and considerably more experience on the public sector side of the house, we have made a number of observations.  Institutions are not always aware of the personal information they hold, where it goes and who has access to it.  Oftentimes in the rush to protect against hackers, the internal threat is overlooked – privacy breaches involve not only loss of personal information to external forces, but also inappropriate access by internal actors.  Mandatory breach reporting requirements can be a tool to enable institutions to confront the adequacy – or lack thereof – of cybersecurity plans and preparations.  Furthermore, OPC Officials use this knowledge to inform our guidance to organizations.   

The challenge for our Office, and for Canadians, is to keep pace with technology.   Understanding how personal data will be used, by whom and for what purpose, is equally difficult.  While it’s the case that privacy policies are seldom read, we may be approaching a time where how data is used is equally ill-understood. The Office has done work in the area of examining notions of consent in this space, and has recently launched guidelines for organizations subject to PIPEDA on how best to obtain meaningful consent for the use of personal information.

As others have indicated before this Committee, we believe that these issues are best addressed with a collaborative approach.  To that end, we work together with other privacy and data protection offices on joint investigations.  We participate in Global Privacy Enforcement Network sweeps, and have found this enables sharing of best practices.  The OPC also participates in the Cyber Security Analysts Network group, chaired by Public Safety with participation of other federal government departments.  Our Government Advisory Directorate also provides advice to federal government stakeholders in this area. Other solutions involve education and outreach for companies, particularly small and medium-sized enterprises, which are often hard pressed to ensure their information, including personal information, is adequately safeguarded. 

In conclusion, privacy regulators and advocates have a role to play to ensure that cyber security strategies, principles, action plans and implementation activities promote privacy protection both as a guiding principle and an enduring standard.

We need to reform our privacy legislation to make it fit for purpose to ensure that the privacy of Canadians is protected as technologies and the economy changes.

I welcome your questions.