Tuesday, July 30, 2019

Know A Bit Aboot Canadian Privacy Law, Eh?

Canadian National Flag imageIt's widely acknowledged that data protection law in Canada has long been more robust and strict than here in the United States.

In 2019, the Privacy Commissioner of Canada signaled an intention to interpret Canada's laws even more strictly, and indicated a desire to propose to the Canadian Parliament changes to the Personal Information and Electronic Documents Act and the Privacy Act which would bring Canadian law more into line with Europe's GDPR.  In light of this, and my responsibilities for international privacy compliance, I began studying Canadian federal and provincial data protection law in earnest, and recently became credentialed by the International Association of Privacy Professionals as a Certified Information Privacy Professional in Canadian data protection law and practice (CIPP/C).

According to the IAPP, which is the world's premier (and largest) data protection certification organization, a CIPP/C designation means "you have an understanding and application of Canadian information privacy laws, principles and practices at the federal, provincial and territorial levels."  To demonstrate mastery of the domain, all applicants must pass a rigorous exam which covers all of the topics listed here, including Canadian legal frameworks, private sector law, public sector law, healthcare sector laws, financial sector laws, provincial laws, norms and standards, and best practices.

If you have an interest in obtaining the CIPP/C designation, I'd be happy to talk with you about it, and specifically how I studied for the examination.

Stay tuned, as I may be posting more content to this blog relating to Canadian data protection in the future.

What's in your wallet? Maybe someone else's hand! (How to protect yourself following the Capital One breach)

What Happened?
Image of person with a hand in another person's purse

Capital One, a major credit card issuer headquartered in Virginia has disclosed a data security breach that affected around 100 million individuals in the US and around 6 million in Canada.

The perpetrator sought information relating to individuals who had applied for credit card products between 2005 and 2019, potentially accessing names, addresses, email addresses, phone numbers, dates of birth and self-reported income, as well as 140,000 social security numbers and 80,000 bank account numbers in the US and million social insurance numbers of Canadians. Capital One claims the hacker did not gain access to credit card account numbers, and Capital One believes it has fully remediated the vulnerability that lead to the breach.

What You Can Do To Protect Yourself

If you believe your personal information may be at risk as a result of this incident, you can take some steps to protect yourself. Here are some suggestions:

1. Check your Capital One account online for unauthorized charges. Log in to your account (from a secure connection and trusted device, as always) and search your recent transaction history for any unfamiliar transactions. If you see any unauthorized charges, follow Capital One's process to dispute the validity of those charges immediately.

2. Change your password for your online Capital One account. It's a good idea to periodically change your passwords anyway. Do not re-use a password that you have used (anywhere) before. Ensure your password is long and complex. (Here's what NIST has to say about password length and complexity).

3. Check your credit, if you haven't done so recently. You're entitled to one free copy of your credit report every 12 months from each of the three nationwide credit reporting companies. Order your reports online from annualcreditreport.com, the only authorized website for free credit reports, or call 1-877-322-8228. You will need to provide your name, address, social security number, and date of birth to verify your identity. Review the reports to ensure they show only accurate, legitimate lines of open credit (e.g., your mortgage, credit card, etc.).

4. Consider a credit freeze. Placing a security freeze on your credit reports can prevent an identity thief from opening a new account or getting credit in your name. State laws, including North Carolina's state law, allows residents to set up and manage security freezes free of charge, and beginning in September of last year, federal law gives all Americans similar rights. To implement a security freeze, you will need to contact each of the three credit bureaus online:
Be prepared to provide authenticating information, such as:
  • Your Full Name
  • Your Address
  • Your Date of Birth
  • Your Social Security Number
When you put a security freeze in place, the credit bureau will send you confirmation of the freeze along with information on how to remove the freeze, which may include a PIN (Personal Identification Number) or password. The information should be sent to you no later than five business days after placing the freeze. Don't lose your PIN/password! If you want to apply for a new line of credit, you can request that a freeze be lifted for a specified period of time or removed by making the request to the credit bureaus and providing proper identification. The credit bureaus must lift or remove a freeze within one hour if you request by telephone or online.

5. Take advantage of the free credit monitoring and identity protection services that Capital One will soon be offering. (Details to follow soon, we assume. Check Capital One's website.)

Take care of yourselves, and good luck!