Data breach highlights how easily it can happen
By Mia Clarke, AdvocateDaily.com Associate Editor
Data breaches happen a lot more often than people probably realize, says London, Ont. cybersecurity lawyer Peter Dillon, who helps companies deal with the fallout after their systems have been hacked.
And a recent news story illustrates how simple it is to access personal data, including sensitive medical information, says Dillon, a partner with Siskinds LLP, where he heads the firm’s Technology, Franchise and Privacy Law Groups.
The CTV News story describes how a privacy researcher intercepted patient information over unencrypted radio frequencies. The information included the names, sex, medical condition, ages, and room numbers of hospital patients in Vancouver.
While the sensitive data didn’t include financial details — which is what hackers are usually after — the case highlights how easily such information can be intercepted, says Dillon.
“It’s important to remember that hackers can take little bits of stolen information and essentially use it to get lots of information about a person. That’s why it’s so important to uniformly protect all of your data — even if it’s seemingly obscure,” he tells AdvocateDaily.com.
According to the story, the health authority did not inform patients about the breach — even eight months after it was first notified by the researcher who accessed the information.
While there’s a requirement for all federal government institutions to notify affected individuals of breaches of personal information, the rules vary for provincial public bodies, Dillon explains.
In British Columbia, there aren’t any privacy laws requiring public bodies to report a data breach, health or otherwise, CTV reports.
But even in B.C., the law says, “A public body must protect personal information in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure or disposal.”
Ontario has a similar law that says
public bodies must take “reasonable” steps to ensure that personal health information is “protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.”
Dillon says, “If the health authority realized that this was an unencrypted system, they were essentially attempting what is known as security through obscurity, which means ‘if we hide it well enough, no one will ever think to look there.’
“The main lesson here is that approach will never work,” he says. “Some people are willing to look everywhere, so if you want to protect your data, never assume that someone won’t try to find it. Always put some kind of protection or encryption on it, so even if they find the data, they can’t use it.”
Dillon says there are ways for organizations to protect themselves against data breaches:
- Encrypt your data — It’s simple and inexpensive, he says. If hackers get the data, they can’t read it.
- Keep your technology up to date — “The longer you go without installing an update, especially a security update, the more people will know about how to hack into it,” says Dillon.
- Don’t put data online unless necessary — “If you don’t need to make data or computer systems available to the public, or over the web for employees, then don’t,” he says. “The less you have that can be accessed over the internet, the harder it is for someone to steal something of yours.”
- Restrict access — Minimize the number of people who have access to critical information, so you limit the people an attacker can pretend to be, he says.
- Use passwords wherever possible — “Never leave a database of critical information without a password or access key,” says Dillon. “Just like you would never leave a filing cabinet full of confidential documents unlocked in the middle of your foyer.”
If a person suspects they may be included in a data breach, Dillon suggests they consult the privacy watchdog in their province. A list can be found here.
When in doubt, he says the Office of the Information and Privacy Commissioner can help find the right organization to contact.