Covid-19 rushed into our lives. Many business leaders had to make significant operational changes immediately. Technical decisions that generally take months to plan and implement were made in the matter of days. And in this rush to stay productive some business leaders overlooked privacy and security.

In episode 10, Paul and Ty are joined by Marilyn Sing, Certified Information Privacy Professional and Principal of IPP Consulting to discuss how the pandemic and in particular, the rush to work from home resulted in lax oversight in privacy policy and practices across a broad spectrum of businesses. Marilyn details the evolving landscape noting some of the top concerns and breaches since the start of the pandemic while Paul and Ty offer their perspective on issues where technology intersects with privacy. At the heart of this episode is a recommendation for a comprehensive review of all technical changes made during the move to work from home. A thorough review should be conducted, especially to the changes that could impact privacy or security.

Marilyn Sing

What got lost, from my privacy perspective, is that a lot of organizations were lacking proper privacy policy and practices that not only guided employees in the office, but should guide their practice wherever they’re doing work…it’s really important now that security and privacy go hand in hand because they help in protecting an organization from a lot of risk, and certainly security alone is not enough, and I would say privacy alone is not enough. You really need those two areas working together to really protect personal information properly within an organization. 

Marilyn Sing

Principal, IPP Consulting

Island Thrive Podcast
Island Thrive
Click for the full transcript

Paul: And welcome to Island Thrive, conversations with business and community leaders on Vancouver Island. I’m your host, Paul Holmes with Smart Dolphins IT Solutions and joining me today as co-host is Ty Hedden. Welcome back to the podcast Ty.

 

Ty: Good morning Paul.

 

Paul: Ty is my colleague at Smart Dolphins, one of the vCIOs, helps businesses and non-profits and plan their IT roadmaps and make good, smart IT decisions.

 

So we wanted to get Ty on the podcast this week because our special guest is Marilyn Sing, who is the owner of IPP consulting, a privacy consulting company based here in Victoria, and definitely a leader a lot of people know her and her expertise in consulting on privacy, obviously there’s a major intersection between IT and privacy, and both Ty and myself have co-presented with Marilyn a few times and know quite a bit about her work. So welcome to the podcast, Marilyn.

 

Marilyn: Thank you, Paul and Ty. It’s great to be here.

 

Paul: It’s definitely interesting times, and I know one of the things, Marilyn, that you’ve done, which has been really cool, is every single week I get an email in my inbox talking about the privacy issues of the week that you’re sending out, I guess, to all of your contacts which is fantastic. And so I think right off the bat, I will ask you if that’s something that our listeners can get ahold of, if they’re interested…

 

Marilyn: Yes, of course. I started the weekly update, just when Covid-19 started. I felt that it was important for a couple of reasons. One, I had, of course, several of my clients contact me about particular privacy issues they were facing with looking at having their staff work from home.

 

Paul: Yeah.

 

Marilyn: Also, there was changes in processes and how they were also dealing with their clients and customers from home as well, so there was a lot of privacy concerns there, especially in regards to sensitive information and communication. So that was certainly a big issue. And I thought going forward, instead of maybe several clients contacting me all the time about the same issues, I thought, “Well, maybe it would be helpful if I actually did start a weekly update,” just letting people know what kinds of issues, privacy issues we’re happening, what sort of things were unfolding. Certainly, of course, there was releases and guidance from the privacy commissioners, which I felt needed to be put out there, lots of things in regards to video conferencing, and of course, Zoom. Zoom has been a big topic of many of my weekly updates. Certainly there were other the privacy issues that we’re coming into play, like all the phishing scams, hackers impersonating other people and companies, security cameras, issues with free email, definitely privacy considerations like technology tools and equipment, lots of questions about encryption, things to do with web browsers.

 

Paul: What I love about your newsletter is you touch on some of the high-level topics that I think all of us are thinking about, especially in this Covid pandemic world that we’re in, but you’ve also…one of the things that I really like is detailed some of the other sort of ongoing things like the Equifax breach and some of the big data breaches that have happened like Fitness Depot. I didn’t know about the Fitness Depot one until I saw it in your newsletter, because I don’t think the media covered it a lot and…

 

Marilyn: Yes.

 

Paul: And so not that I’m a big fitness guy, but could be. And you even have like when the MeWe launched and some of the alternatives with better privacy options and stuff like that. So it’s great. I think if somebody wants to get a hold of it, definitely get a hold of Marilyn and get on this list, because man, every week it’s something new. My only regret is it comes Friday afternoon and I’m ready to check out so…

 

Marilyn: Then you can look at it Monday morning.

 

Paul: I often read it on Monday morning that’s often very true. Yeah, and there’s just so much going on. I think one of the things we talked about before the show is maybe encapsulate what is the state of privacy in the pandemic world, and I hope that’s not too broad of a question, because I feel like the thing that we were all talking about around privacy and businesses were starting to take more seriously, really got pushed to the back burner when reality hit with the pandemic. Suddenly people that were working from their office and thinking about privacy procedures and protecting data and stuff, we’re now all of a sudden forced to take their computers home and do God only knows what with their data remotely. It’s messy out there, I think, right now. So maybe give me your thoughts and maybe we can talk about where we go from here as well.

 

Marilyn: Sure, that would be great. I think well initially, you guys would have been the first people that were called when the pandemic hit, because certainly people were thinking about, “Okay, how do we deal with technology systems and tools if people are working from home instead of at the office, so?” I know that was everybody’s top priority, and that’s understandable, but I think what got lost in that, from my privacy perspective, is that a lot of organizations were lacking proper privacy policy and practices that not only guided staff and employees in the office, but should guide their practice anywhere wherever they’re doing work, so I think that was sort of the main thing that I felt that in the rush to get people home and on these technology tools, I’m sure there were lots of things you guys were thinking about too, well, was there VPNs is there secured systems. But certainly from my perspective, I’m looking at the policy and practices that go with that. I think one of the great things about working with you guys, is you are the security side, and I can offer the privacy side, and certainly you spoke to the word intersection and I think it’s really important now that security and privacy go hand and hand because they help in protecting an organization from a lot of risk, and certainly security alone is not enough, and I would say privacy alone is not enough. You really need those two areas working together to really protect personal information properly within an organization.

 

Paul: It was definitely quite a crazy time when this first started, we were very busy. Thankfully, we had actually sent people home to get set up a little bit sooner, just sort of seeing the writing on the wall, so by the time our clients were calling us and we obviously had a lot of people enquiring we were all set up and ready to help them, thankfully we’ve talked about that on one of the podcast though. and man in my career, there’s times to remember and there’s times that just blur together, and the start of Covid-19 is definitely one of those times to remember when the impact on the world that you’re able to make through something like IT where we believe very strongly and obviously what we do, we try to create better environments for people, we try to improve their IT, but we don’t often think of ourselves as saving lives. In one sense, getting people able to work from home in an orderly fashion and as quickly as possible, I don’t know, did we save any lives? But maybe forever I’m going to remember that for sure. I know Ty you had a question burning there…go ahead.

 

Ty: Yeah, one thought I had through this whole experience over the past few months, we were posed with a lot of new situations, a lot of new questions, questions with much different urgency. It went from, “How can I get on to Microsoft Teams or how can I move to OneDrive over many months of planning, to how can I get onto Teams or OneDrive next week?” In that shorter window, we had to approach things quite differently, and the things our clients were asking us, we’re quite different, and I was just curious, from a privacy consultancy perspective, if there’s been any sort of changes in the questions that you’re receiving from clients are the concerns that they have now. As an example, some of the concerns that changed for us is that now an office may have people working at home and remoting in completely compared to not doing that before. So the question would be, “where is my data and how is it? Is it safe, is it controlled?” That sort of thing. I was curious, or if you’re seeing a shift on your end?

 

 

Marilyn: Yeah, certainly there is. In terms of I think if you start thinking about data, and in terms of personal information-related data, there is definitely more consideration that needs to be thought of in terms of how that’s being processed and handled from home. So for example, I’m sure the organizations that you were helping work, were getting their staff to think about, “okay, what’s their internet capacity like? Have they changed that? From the privacy perspective, I would say, okay, have they changed that sort of default password access into their wifi? But there are other things too, like in terms, if you’re handling physical paper that has personal information on it, is that being properly locked up at home? You know, people can get very relaxed and their behaviors with working from home in a situation where all of a sudden their office might be in their kids playroom where it was set up, or it might be in the kitchen area where if they had visitors, other people may be able to see that information, so there’s really… Again, when I spoke to earlier about privacy practices that people should be following when they’re at home, that’s really important. Actually, the Office of the Information and Privacy Commissioner for British Columbia, right on March 14th (so basically a week or two into this push for people working at home) they were already promoting and had released tips for organizations working from remote workplaces, and that was really important. It was a good reminder for people think about, Okay, do they have passwords on their devices, especially if they’re using their personal device, so is it password protected? Even if so, are there other people within that household who have that password that could potentially access to work information, which they shouldn’t have any access to. So it was really pointing to some of the way you would hand personal information in the office anyway, there’s limited access, there’s minimal amount of information that you would be looking at especially in an environment where there’s vulnerabilities. A lot of it was looking at that and trying to make sure that people were looking at those tips, the Privacy Commissioner was promoting and following them as best they could.

 

Ty: One thing that stuck out for me is when you mentioned paper, bringing home papers. I think that really relates back to some conversations I had, just on the broad tools that people are using, some people are bringing on physical documents, but during the shift, I talked to people who said, “well, we don’t need Teams today or a secure chat solution today, we are just texting each other.” Right, when you think about that, well, they’re texting each other primarily to personal cell phones and business information ending up on those personal devices, and it seems very convenient, an innocent, but it quickly gets out of control and it’s the stack of papers that gets left at home after employee leaves, it’s the text messages left on their phone, which you now have no control over, and 10 or 20 different other tools that different businesses are using, and it goes very quickly and almost organically. But that’s kind of the problem in a lot of cases.

 

Marilyn: Yes, and then that creates a whole bunch of issues, especially from the IT security side. Certainly text messaging, email, none of those devices and communications and certainly video conferencing, none of them are secure and foolproof. So the problem is that the reliance on that or utilizing new tools, and for what I could see certainly when you look at Zoom and the increase in the user uptake. I think it from initially 10 million customers in January to 300 million customers in March or April. It was ridiculous, and they had already well-known security and privacy issues, and yet people were going on it and not really thinking about that. Of course, until Zoombombing happened a few weeks later. So the evolution of that, and really they didn’t hire a consultant who had a lot of experience in a Chief Security Officer role until I think it was May. And encryption, sure they promoted that they had encryption, but it wasn’t end-to-encryption, and there was all sorts of issues and problems with it. And I certainly from the privacy perspective, had huge concerns over that, especially when the US decided that they would relax some of the regulations associated with their Health Privacy Act, and Canadians want to follow suit. And that was also pretty scary to me because I think a lot of people don’t understand that the US their privacy laws are not as stringent as Canadian laws, and so I felt that a lot of people, so just following what the US was doing was a mistake and that it was something that could get them into lots of trouble and risk certainly later on.

 

One of my clients has a lot of sensitive personal information that they handle, or communication that they have between clients, and that was a huge concern. They were being innodated with their members asking them to, “why can’t we use Zoom and the US is doing it, why can’t we do it?” It was really hard for them, I think, to try to keep that situation under control and be able to thoughtfully put together a decision-making guide to help their members with making those decisions on which tools to use. One of the things I kept on saying to them was, “you know, whatever tools you use, you are responsible for that, so if there is a breach and you’re going to be held responsible for that situation because you chose those tools,” and I said, “you have to make sure that you understand what the risks are, you’re willing to take those risks because you think there’s going to be a greater benefit, but at the same time, you have the potential to really create a disaster situation for your organization if you choose wrongly and you’re not putting into place the other safeguards that you need to.” So for example, I said that with Zoom, you need to make sure that the people that you’re expecting to provide you with sensitive information through that tool understand that it’s not totally secure, security proof that there is the risk of it being breached or being hacked into. People have to be comfortable with understanding what that risk is and provide consent to then utilize that tool in order for everyone to be I don’t want to say protected, because that’s really not the right word, but to be aware that there are risks associated with that.

 

You know what I think was really telling was I was on a webinar that included a speaker from the Office of the Privacy Commission of Canada’s office, and somebody brought up video conferencing tools and said, “well, what do you use?” And I know that the Commissioner’s offices are very reluctant to say at all what they use, but they actually said, “we do not use video conferencing tools, we only use teleconferencing tools, we do not use video tools.” And I thought well, there’s an answer for you. Also, at one of my weekly privacy updates, there was something released by the Law Society of BC where they were guiding their members on whether or not to use video conferencing tools. And again, I think one of the main things is, and I said this to my client was, “do you really need to see the person? I said, really, you know what I would say the safest way of using any telecommunication tool right now, where you’re exchanging sensitive information is through a landline.” And not many people have that anymore, they’ve gone to using their cell phones, but I said, “that’s the safest way, if you’ve got two people on a landline, there’s less opportunity for anybody to hack into that conversation.” So really?

 

Paul: We’ve opened up the can of worms here, Marilyn.

 

Marilyn: We can keep on going on this.

 

Paul: Yeah and I think this is great, I think our listeners are going love to hear about this stuff. And I think the difference here, and maybe you can help bring some clarity. When we’re talking about sensitive information, that’s something that’s very different for different people. And one of the examples I like to give is one of my family members was attending counseling and obviously when Covid-19 hit they were unable to attend in-person counseling, so they switched to Zoom and we’re talking about a lot of personal details. It’s one of those things where if somebody was recording that and played it back or posted it to their Facebook or used it to blackmail them or something, that could be really problematic, but by and large, is there a big jackpot for a hacker or something like that, a mountain of data or anything, not really, it’s not like credit cards and all that.

 

So why don’t we sort of start and obviously, every industry was a little different around what is sensitive data, if you’re collecting credit card numbers in one business, that’s a big deal, and if you’re collecting personal health data and in another business, that’s a big deal. How do you help your clients to define what is the sensitive data?

 

Marilyn: It’s funny, I think there is no proper definition for sensitive data in Canada. We’ve sort of pushed everything together under this personally identifiable information. And initially, that was pretty basic stuff, your name, your address, your phone number, your email address, but as soon as you start getting to anything that has a numeric identification number attached to it, like driver’s license, Social Insurance Number, birth certificate, those kinds of pieces of identification when put together can easily be used by a hacker or fraudster.

 

Paul: And I envision that on the dark web, there’s databases all indexed to those numbers full of all sorts of information about every single person.

 

Marilyn: Yes.

 

Paul: And probably including everything you’ve ever posted on Facebook. I don’t know if that’s true.

 

Marilyn: I’m sure it is. I was going to say hackers are getting with artificial intelligence now, it’s a lot easier to pull together a little bits of pieces of information into a much bigger profile. Certainly, I think about even for a long time, even creating passwords or identifiable to prove that it was you, it might be things like, “which high school did you go to? what was your first pet’s name, and things like.”

 

Paul: Mother’s maiden name.

 

Marilyn: Those things should really be now a thing of the past, and really people should be using long passwords and identifies or things that they wouldn’t publicly ever stated anywhere in order to really protect themselves. Certainly, there is a requirement, if you’re handling more sensitive personal information that needs to be safeguarded in a much higher way, so whether that information needs to be encrypted, whether there needs to be something like two-factor authentication, mainly from the IT perspective, you guys are familiar with those kinds of technology safeguards, those are important, but from the privacy side, it’s really important to provide proper notice and consent. So that means that if you are using a new tool or implementing something that person that is going to be participating in that with you needs to understand what are the security safeguards attached to that, if there are any risks, and they have to be willing to consent to utilize that tool with you. You talked about recording. And that’s really important.

 

Certainly in a counseling situation, I would say that it shouldn’t be recorded. If it has to be, certainly you’ve got to consider which tool you’re using, if that recording can reside outside of Canada, that’s a risk. Certainly, if you have no other option, maybe you record that, but you immediately then go and download that recording to your own device residing in Canada, and you erase it or delete it off of a US server. Certainly things like that…

 

Paul: Then you have to manage it in your own network too.

 

Marilyn: That’s right, then you got to make sure that nobody else can have accidental access to it or you got it secured somewhere as well. And again, that’s where certainly working with IT specialists and consultants is really important. You want to make sure that that’s safeguarded, because you’re responsible for that, the onset of notice and consent to storage and retention, we are obligated under the Personal Information Protection Act to protect that information properly.

 

Paul: This very thing actually came up so we talked about my family member with this counseling, there’s also… then this is a real world example. And you can think about this in terms of personal data, but there’s also business stuff too, if I am having a Zoom call with my accountant and we’re detailing every financial thing, maybe that’s maybe something I wouldn’t want to be out there as well, because it’s private, we’re talking about the payroll or whatever, there’s a 1000 reasons why people would not want some of the things that they talk about on Zoom calls to leak, if you will right? I think it’s just people really, really need to understand the risks, and especially when they’re dealing with anything sensitive, what I’ve sort of said on Zoom training calls that I’ve done is, “look, don’t you just don’t talk about stuff on Zoom that you would be unhappy to see, on the front page of your local newspaper, right?” Is that what we’re talking about here? Are we in the same territory and what do you tell those people that absolutely have to record or talk about sensitive stuff on online? You said you mentioned earlier, landlines, it’s probably not totally reasonable for a lot of people, so what’s the next best thing for people that lack landlines, which is most of us? Tough question right?

 

Marilyn: It is tough. You know it’s funny technology benefits us in so many ways and but also has some disadvantages. Okay, so beyond landline to landline, it would be great if one of the party had a landline and the other person was on the cell phone, then you’re going to two cell phones. Personally, I would avoid Zoom for any sort of conversation that would have any kind of personal information…

 

Paul: Which we’re recording on today by the way.

 

Marilyn: Yes we are recording on today.

 

Paul: But this works great for something like that, and not so great for talking about our personal health data.

 

Marilyn: Yes, exactly and that’s the other thing to consider. And certainly Covid-19 and the situation and the public awareness has pushed companies like Zoom to do a better job with their security and their encryption. And certainly, there are tools out there that are better than others. In regards to Zoom it is not one of the better ones. But certainly others come at a higher price, and of course, they’ve got better security and you need to consider and pay for that. I’m sure you’re using the paid Zoom version so that’s helpful as well. But because when you think about organization, so companies, they need to make money, so free usually means that their privacy and security features are probably not going to be very good or as good as a paid version. But certainly there are lots of organizations that are doing rankings and are looking at comparing tools against each other in terms of those features, so it’s something to be aware of.

 

Paul: It’s great to see your face we’re recording, of course, I get to see Marilyn today, I get to see Ty, that face-to-face thing is nice, this is my entire social outlet in the Covid-19 world. I get that there’s organizations where they’re just like, “no, we’re not going to do video, we’re not going to do any of this stuff, but it really de-personalizes the experience, but at the same time in that balance between privacy and intimacy, it kind of swings more towards the privacy side, right? So anyway, now I’m just kind of yammering. Here’s a big question, if we provide disclosure and get consent from people, is that sufficient from a legal perspective, if something were to happen and some of that information got out somehow assuming that it didn’t get out nefariously from a rogue employee or something like that?

 

Marilyn: Ultimately, you’re still responsible for a choice of the tool. So you know, organizations are required to do their due diligence. Certainly, that’s called a Privacy Impact Assessments which are not mandatory for the private sector yet in BC, they are mandatory on the public sector side, and it’s certainly something that I think is going to become law when our private sector law is updated. So what I have been advising people is that you really should be doing your research, ignorance is really not a defense, if you decide that you’re going to use a tool, a video conferencing tool because it’s a necessity to carry on your business or for part of your business then you need to be able to justify that you did look at some options and that you chose a particular one based on the fact that it did have better sort of privacy and security features.

 

Certainly, it’s challenging for smaller businesses in terms of affordability, and you know, I totally understand that it’s certainly if you can use a free application versus a paid one, then you’re making a business decision in regards to that, but you do have to look and assess risk at the same time, because you can’t…

 

Paul: Aren’t people terrible at assessing risk Marilyn?

 

Marilyn: They are in general and you guys probably see that all of the time.

 

Paul: Well, and I think studies have been done on this, people are terrible at it. There’s a reason people buy $15 electronics and then spend $12 on the one-year extended warranty because people are terrible at assessing risk.

 

Marilyn: Right?

 

Paul: And I don’t know, obviously, lots of warranties are warranted, but how deep down that privacy rabbit hole is…something terrible happens, some information gets leaked, it shows that somebody did some research, thought it was pretty secure, document I guess the decision?

 

Marilyn: Yes, you have to document your decision process. Well actually, you know what it points to the fact that businesses really do need to have what’s called a privacy management program because what that program allows you to do is well be aware of privacy considerations in general, but the requirements of that program, which is by the way, recommended by the privacy commissioners, both the federal and the provincial commissioners in Canada is really about your organization being accountable for the personal information that you collect, use and disclose. So under that management program, you would actually do an inventory about the personal information you collect, you would look at who are your data subjects, like who are you collecting that information from, you’d have categories, like employees or clients and customers, or even volunteers, if you’re a non-profit or charity and donors, that’s also another consideration that non-profits and charities have to consider. Then it’s certainly looking at okay “how are you collecting that information? Where is that information being stored? Who’s got access to that information, how long are you keeping it for, and then ultimately, how are you destroying that information properly?” So doing that data inventory as the starting point is really important, then it helps you to understand, “Okay, where could you be collecting more information than you need, or are you collecting duplicate information, how do you make sure that you’re not, is your storage and IT security appropriate? Or if you are handling physical paperwork – is it locked up properly? How is even your office alarmed and who has those pass codes and how are often are you changing them?” There’s lots of little nuances involved in that that you are actually documenting, and then you’re looking at how do you assess privacy in regards to risk and considerations, that also includes looking at your service provider contracts and you want to make sure that they’re actually following proper privacy policy and practices within their own organizations, because if you’re passing off information or they’re able to access it, you want to ensure that, again, you’ve got that level of protection.

 

You know all of this. It’s so funny, I think there’s a lot of business leaders who haven’t really realized how important that is. As I mentioned earlier, that whole…I think there’s been a lot of focus on IT security, which is of course critical, but without that privacy, solid policy and practices that are in alignment with that IT security, there is so much more risk and vulnerability.

 

I think I read recently that a lot of breaches now are really…I think it’s a 90% plus are really based on now email phishing scams and getting in and you guys would know it better than me…

 

Paul: Yes that’s it.

 

Marilyn: And a lot of that’s related to staff training, so if there’s privacy policy, there’s practices that are integrated into onboarding orientation, but then there’s ongoing privacy training that happens, whether that’s just providing them with some of the updates, like I even distributed within my weekly updates. It’s just keeping people aware of privacy considerations and integrating that into developing a strong privacy culture…

 

Paul: Let’s talk about the privacy culture in a second. I love… You’re so eloquent in how you deliver around the data collection, and I would just say something, blunt like “if you don’t collect the data, you can’t lose it.” Right?

 

Marilyn: Or, it can’t be at risk.

 

Paul: If you purge it and it’s gone, it can’t be hacked, right? And from an IT perspective, that fits so, so beautifully with what we try to do, which is to protect that data, but that if people can just start from the beginning in terms of “what is the data that we actually do collect?” And I know Ty you’ve gone into a lot of detail and some of the presentations in the past and really looked at this, and you’ve even worked with some customers in terms of kick-starting that process. Why don’t you talk about that data collection piece?

 

Ty: Yeah, I had a quick thought too for Marilyn on that term privacy culture. The term privacy culture is one that really stands out to me, and I’m getting better at seeing where it exists and where it doesn’t exist through my conversations in helping businesses. An example being sort of during the height of the rush to move to Zoom, they were quite publicized, it was all of the news, the issues they have, and then shortly thereafter, (Paul touched on this) they fixed the leaks, they went in and made a bunch of significant improvements. And I remember talking to a business about that, and they had held off on using Zoom, and then it started to trickle out that they had secured these problems and that, and then the business came back and said, “we’re going over to zoom now, it’s all fixed.” And it’s not that simple. You still responsible for choosing the tools on the platform and most importantly, deploying it and managing it correctly, Zoom or many, many other companies can do all the right things on their side, but you can still use it incorrectly, you can still not apply a good privacy culture to it and not be pragmatic and make some really big mistakes, and that was, I think one place where we definitely put a bit more weight behind Microsoft Teams, and part of the reason for that was, is that the tools and the mechanisms to secure it and integrate it with already good existing security are just much more secure. An employee leaves, you can essentially hit one button and lock them out of your entire Microsoft environment, including Teams, and they instantly lose access to all of that data whereas some paid or free shared Zoom account or a similar tool if you miss that, they could potentially have access to it for weeks. But I want to kind of touch on that.

 

One thing that struck me recently, and this also comes back to privacy culture, because what I’m really noticing is that some companies are just beginning to develop it or haven’t quite yet because it just hasn’t needed…Well, not needed to be, but they haven’t been forced to make it part of their culture. I recently going into a restaurant, they asked for contact info for contact tracing for Covid. Right, so if you have a diner that comes in and there’s an outbreak, they have the contact info to contact that person and anybody else who’s in the restaurant that day. And I immediately thought about that and thought, “well, this is a brand new practice for you as a restaurant, you’ve never had to take that information before, and it was being written down on a basically a piece of paper…”

 

Paul: Next to your credit card?

 

Ty: Not quite that intensive but name, telephone number and email address. And so that’s PII right there. I thought, “okay, well, that’s probably being stored on the clipboard that it’s being written down on, and I don’t know if it’s being entered into computer, if it’s being put in an unlocked drawer, and I mean okay, name and number, don’t love handing that out.” But what really struck me like a day later as I was thinking, “what if I or somebody in my party did come back with a positive Covid test, this restaurant, I’m sure through that process, now I’m going to become privy to my health information, they’re going to know that I do or don’t have this virus, and they’re going to know everyone who’s in that restaurant at the same day who was possibly exposed,” and that to me starts me to being very private information, and obviously during a pandemic, we have to use that information to try and control outbreaks and I’m sure if done properly with the right amount of care, it’s acceptable, but I didn’t think a clipboard with that information was necessarily a very mature privacy culture. And I can understand it, I mean, they restaurant that’s just trying to get by, get diners back in to sell food and keep their employees working, they had to put something in place, but it was done very hastily and they were not unique, and I do wonder how any other businesses are faced with similar new mechanisms that they don’t have the culture to basically support.

 

Marilyn: Okay, I’m happy to comment on that. So I mentioned that by mid-March, that the Privacy Commissioners Office had released that information on tips for working from home, basically, their next big release was in regards to exactly what you’re talking about, it was about collecting personal information at food and drink establishments during Covid-19. So that was released on June 19. So there was guidance put out, which basically notified the restaurant industry that they needed to follow some compliance and certainly collect information, but minimal. It was interesting when you said name and email address and phone number. The guidance document actually says you need the person’s name and phone number or email address, either or not both because you’re trying to collect the minimum amount of information that you need to contact a person. But the goal of that is, as you said, is for contact tracing purposes, they are required to keep that information for 30 days and 30 days only, so they’re supposed to set up a practice where once they reach that 31 that they’re wiping that information off their system, because certainly if an outbreak happens within a two-week period, and then they would be able to notify people based on that 30 a record that the restaurant is supposed to be holding. The restaurant itself is supposed to be clearly explaining why they’re collecting that information and for what purpose, and in regards to the limitation on storage. But you’re right, it should be secured, so collecting it on a clipboard, I mean, as long as the person is holding the clipboard and nobody else can see that information, that’s one thing, but I agree with you. I went to a restaurant where they actually had the clipboard at the door for people to sign their name and add in their information in one sense, we said, “oh well, we know the people that we are meeting are already here,” but the fact that it was public like that is not good because I could be coming in and writing down names and email addresses and sending phishing emails to people if that’s seen in a public area, so certainly they were supposed to put in a safeguard around protecting that information, that should have been better than the clipboard information. And also you had some concerns about the restaurant holding on to that information and utilizing it for different purposes, they’re not allowed to do that. Very specifically, they’re only collecting for the contract tracing purpose, and that information would actually be handed (if there was somebody who’d been confirmed, a confirmed case, who had been at the restaurant), then the Public Health Officer would actually go to the restaurant and get that 30-day record and they would do all the contacting, it would be outside the restaurants purview to do that.

 

So the Privacy Commissioner did release very specific guidance, but it’s important that people are aware of it. So if you see a practice like you and I did where they are collecting information in a more public way and not protecting it properly as citizens, we should say, “look, I’m giving you this information for a specific purpose, but my understanding is it’s supposed to be protected appropriately by you.” So it doesn’t hurt to certainly make sure that we’re protecting our own information when we see laxes in ways that people should be looking after. I think one of the big things about Covid and some of the privacy things that I’m seeing is that there’s certainly greater awareness, people are starting to think more about, “okay, maybe I’m doing more online shopping and I’m giving my information away, am I really getting a benefit from that, or do I feel funny about what they’re asking for, should I question what they’re asking for?”

 

I can actually think of… I can share a personal experience with you. My car insurance expired during this Covid period and so I had to… it was great, my insurance company was able to help facilitate that renewal, but what it took was not only me being on the phone with the insurance agent, it also took me emailing them specific information, and so she said to me, “you need to send me I think it was my driver’s license, my birth date, and something else.” For some reason it had to be in writing, and I said, “I don’t feel comfortable with giving you all of that and sending it by email, can I not give you portions of that over the phone,” and her answer was “no, that was the way they were told to do it.” And so I thought about that afterwards, and I really felt that there should have been more guidance to me the consumer, they should have told me, “okay, well, you are required to send this, but as soon as you send it and I tell you I received it, you can erase it from your system, so it’s not residing your system. That’s one level of protection.” Then I wanted to know, well what do they do with it at their end. Are they taking that information and having to store it for some reason to prove to ICBC that they received from the customer, or are they just taking that information and entering it into a system and then destroying that information as well, like how is that being handled? I actually, to be honest, kind of nervous about that. And I actually have an insurance client, so I sent them a note saying, “Okay, well, I just done this process, and I’m not really feeling comfortable with it, and I think this is something you need to consider at your end providing guidance to the customer on how to protect their personal information after they’ve sent it to you using this not very secure system.” And then maybe being a little bit more clear and transparent about what happens at your end with that email. Does it just sit in that agent’s records or folder or something, and does it really need to be saved and stored after it actually goes into their system? So there was… I had questions about that, but because I obviously know more about it and I will wonder more about what the processes are that are involved with it, but I felt it was important to point out, because I felt there’s probably a whole bunch of people around BC who’ve got sent emails with their very sensitive information, and if their email system was hacked then that would put them in a pretty vulnerable situation.

 

Ty: Two thoughts, one is, you mentioned them guiding you as a consumer, and I think that’s sort analogous to my restaurant experience. They’ve done up this piece of paper with name, address and email fields and but no one actually advised is that you don’t have to fill out all these fields which I think is a terrible reason to give information over. If someone had of actually said all we need it a basic contact info one or two of these things and we’re going to destroy it after 30 days. It’s very easy to communicate that. It also shows that part of that culture those front end staff were probably not trained on anything at all other than collecting the information which is problematic that sounds similar to your case.

 

The other thing is you mentioned the sent item and it’s really important as well because not only is it residing on that insurance providers server and their backup, which makes it very problematic in most cases to purge that information, very few backup systems can easily remove information from every version of the back-up, it is arduous in almost every case. It’s one of the biggest problems with removing information from our systems because our backups are so good nowadays, but it’s in that person’s sent items as well. And I am thinking of the case like my grandmother there, or somebody who is not quite as tech savvy, it’s unlikely they have multi-factor authentication, maybe they don’t have a great password, and now it’s in the mailbox they had from their ISP for 20 years that is on some archaic email system that backs up to the states still and the information ends up in so many places so quickly, and in some cases with very little security all because we asked somebody to provide something without really thinking through the process and all of the ramifications of it which is a very common problem.

 

Marilyn: Yes, I agree. Every business is required to have a designated privacy officer, obviously, that privacy officer is not going to know as much information as I do about privacy, but there are basic things that they should be following and guidance certainly from the Privacy Commissioners Office. I think…You mentioned your grandmother, and it was making me think of the fact that the third public release of information from the Privacy Commissioners Office has been a brochure called privacy tips for seniors, which was released in conjunction with the British Columbia Senior Advocate. And again, it was providing them with guidance and tips, and I think you’re right, it’s very important. A lot of our seniors certainly don’t have the same understanding of technology and privacy and security, so it’s important that they get that information.

 

Paul: And at some level, that speaks to culture, and then if you talk about privacy culture within organizations, we need better privacy culture in the world, and my personal email, I have two-factor authentication and a solid password that’s not written down anywhere and all that sort of stuff, but I was just thinking, I’ve emailed my passport, my driver’s license, a few things like that, so after this call, I think I’m going in there and finding where I’ve sent that and deleted those because if it was to get hacked, which is unlikely, but if it was, it’s just a treasure trove of information in your personal email and just the thought, if anybody’s listening right now and you haven’t put multi-factor authentication on your personal email… My God, get on that right away. Because you’re just one password away from your entire life being known by a hacker and downloaded by hacker too, right? That’s just something I hadn’t barely thought about two years ago, is just one of the most terrifying imaginable things at this point in time.

 

 

Ty: It’s a good time to mention one my favourite websites, which is twofactorauth.org and that’s a website that basically lists all of the major services, websites, all that sort of stuff online that support two factor authentication, so you can just go there and look through the list and see which services you use and take a few minutes during an evening and to go through those and enable two-factor authentication and it’s usually a few minutes per service and it will be far further ahead as far as security then you were before, I definitely recommend everybody, just take a little time and go through that process.

 

Paul: So I think to wrap up today, we’re going open up the can of worms quickly on social media. We’ll go around the table and we’ll quickly give our thoughts or tips, and I think probably Marilyn at some point, we need to have you back and have an entire conversation around social media and privacy because it’s a bit of a train wreck.

 

One of the things that happened recently was there was a massive Twitter breach, and a lot of Twitter accounts by very famous people were hacked ostensibly for a Bitcoin scam where they say, “Hey, Elon Musk, I’m giving away a bunch of bitcoin f you send me this much bitcoin, I’ll double it and send it back to you,” which is just so obviously awful, but when it comes from Elan Musk from his official Twitter account, you go, “Oh, well, maybe this is a really legitimate thing.” Anyway, they’re coated a few million dollars in the process, but one of the things that didn’t really get talked about of course how Twitter allowed this to happen is completely beyond me. I don’t know that we know all the information yet, we probably don’t have time to dig into it. But one of the things that did happen was all the direct messages that all those accounts had, which are supposed to be private, they were accessible by the same hackers who were conducting the Bitcoin scam. And I know Twitter did confirm that they were accessed, and so my tip for social media is whether it’s posting what you think is a private post to your friends only or a group only, people can take screen shots, people can share information, data can leak. Or if it’s using a messenger app like Facebook Messenger or private messages on Twitter, do not really think of that as being private because all it takes is one good hack and all of that information that you’ve had private, which is terrifying when you think of when all of the potential conversations you might had on Facebook messenger or whatnot, all of that information could potentially be hacked and your private post can potentially be shared. It’s nice, so you can curate your social media, you can say, look, this is only intended for this group and stuff, but don’t expect it to stay that way, would be my one tip. Ty, why don’t you give us your one tip and then we’ll let Marilyn conclude because I’m sure she’s got a zinger for us.

 

Ty: Mine is going to be similar to yours, but the way I approach this (and I do use some social media, I take some lengths to anonymize myself and only connect with people I need to connect to) and most importantly though, I regard it as far as privacy as being private and it’s private between me, the corporation that owns that social media platform and every potential hacker that could get into it in the future, that’s is the private relationship, so I’m wary of what I put in my DMs anywhere. I wonder, Elon is sweating right now, sounds like he’s already got enough trouble at the moment.

 

Paul: And it wasn’t just one them, there was a lot of high profile people as well. There’s so many other things, Marilyn, there’s the mess with TikTok with their cozy relationship with the Chinese government, there’s the whole idea of posting when you’re on vacation to let all the criminals know you’re away, and it’s time to rob your house. Do you have a real singer for us on social media when it comes to privacy.

 

Marilyn: Yeah, but yeah, this could be a very long conversation, but maybe I should just start by telling people that I haven’t been on Facebook in years, probably five years ago.

 

Paul: That should tell everyone about Facebook.

 

Marilyn: And the other thing is this isn’t really publicized a lot in Canada, but Facebook is being fined all over the world for all sorts of various issues.

 

Paul: In Canada too, right?

 

Marilyn: Well, actually, there was something recently, it actually went through the… It didn’t go through the Privacy Commissioner Canada because he doesn’t have the power to levy any fines so it actually went through the Competition Bureau.

 

Paul: That was a few months ago. It barely made the news nowadays and it’s such a paltry amount when they get sued compared to the billions of dollars and advertising revenues that they roll over every day.

 

Ty: The $10 million fine as an operating expenditure you mean?

 

Paul: I don’t know what the number was. It was a shocking number if I got fined that amount, but…

 

Marilyn: I think it was $9 million dollars.

 

Paul: Rounding error.

 

Ty: It’s the $100 speeding ticket for the guy in the Lamborghini.

 

Marilyn: Right. Yeah, certainly on the social media side, I limit that. It’s funny, in terms of Twitter, I do have a Twitter account, but I don’t post a lot on it, and when I do, it’s only for business purposes, I’m usually re-tweeting something that somebody has already posted, so whether that’s the International Association of Privacy Professionals or something from the Privacy Commissioners Office either the Federal office out of Ottawa or the provincial office here. Yeah, but it’s funny, I think that’s one of the reasons why I decided to start my privacy update as an email, just because I’m pre-vetting of course, everything that I get through my privacy feeds and sorting out what I think is relevant for businesses in BC. But there’s actually a lot of global and obviously (we don’t have time to do a lot of that today) but there’s a lot of things happening globally that are going to look at increasing the standards and stringencies related to privacy management in Canada. So I think you’re going to see that. I keep on telling clients that this is something that they need to be aware of, these higher standards are going to become law in Canada shortly in order for us to have equivalency with global privacy laws. So it’s only a matter of time, and that’s really going to, I think, change the face. I think that right now the only requirement is to designate privacy officer who holds responsibility within your organization to ensure that you have these privacy practices in place, but I think it’ll just be a matter of time before they might move towards something like they’re doing with this new law for registered lobbyists.

 

You know, I think that it makes sense for you to actually have to register with the privacy office who your privacy officer is and I think the only way to really make sure that people are doing the right thing is to… I don’t like use the word threaten, and that’s not the right word, but it’s to state that they could be doing random audits or reviews to ensure that you do have a good privacy management program in place. So I think that’s really only going to be a matter time that’s happening in Europe right now, and we’ll certainly impact us within the next couple of years.

 

Paul: I hope they have really good security around their registry of privacy officers data. Alright, my mind is blown. Maryilyn, thank you so much for being with us today. We could talk for hours about this stuff. I hope that people listening found the conversation interesting, and if people have been listening this long and they’re intrigued by what they hear, obviously, you work with organizations on their privacy planning, if somebody wants to get a hold of you to talk about doing that, they want to get serious about their privacy for their organization, how would they best get a hold of you?

 

Marilyn: My website is ippconsulting.ca. Certainly, there’s a contact us form on the site, you can just send me an email or my phone members listed there as well, and yes, if you’d like to sign up for that weekly privacy update, please just send a note through the contact us link and I’d be happy to add you on here, you see what kinds of stuff I post that hopefully be relevant to you and your business. Certainly, yes, anybody can contact me. I’d be happy to talk to you about what kinds of privacy practices or policies you have in place, or if you have a program or to help you with developing a program that will actually meet a regulator requirements. I’m happy to do that.

Thank you so much for this opportunity to join you.

 

Paul: Yeah, and thanks Ty for joining us. I know we’ve both had an opportunity to work with Marilyn in the past around mostly around giving presentations because of the intersection between IT and privacy and I know we’re both fans of all your work and follow what you do, probably Ty more diligently than myself, but my mind gets blown every week when I did have a chance to look at the newsletter, so Thank you time for being part of Island Thrive this week.

 

Ty: Thanks everyone.

 

Paul: And if you’re listening, do know you can subscribe to our Podcast now on Google, the podcast, and also on Apple Podcast as well, so if you have a favorite podcast player, then find us there and thank you for joining if you like this topic, let us know it drop us a line, send us a message on social media and otherwise reach out, contact us if you have ideas for other podcasts, we’d love to hear them as well. And other than that, everybody stay safe and stay healthy. And we’ll see everybody next episode.