US standards drive Canadian information security

Jennifer Stoddart, Canada’s federal Privacy Commissioner
Jennifer Stoddart, Canada’s federal Privacy Commissioner
An absence of legislation and the presence of the laissez-faire attitude has resulted in Canada being rather lax when it comes to compliance.
An absence of legislation and the presence of the laissez-faire attitude has resulted in Canada being rather lax when it comes to compliance.
Andy Truscott, Accenture
Andy Truscott, Accenture

Canada is an attractive target for identity thieves and malware writers. It is characterised by toothless domestic information privacy laws; a large base of SMEs (small and medium-sized enterprises), many of which are complacent about IT security and lack the resources for adequate protection; and consumers who are laissez-faire about securing their PCs.

In her 2008 report to the Canadian government, Canada’s federal Privacy Commissioner Jennifer Stoddart (1) warned of lax data protection policies at three government bodies: the Royal Canadian Mounted Police (RCMP); Passports Canada, the passport-issuing agency; and the Department of Foreign Affairs and International Trade (DFAIT).

In addition, surveys by IT security vendors and by market research firms have found that Canadian consumers are worried about the security of personal data held by banks and other organisations.

There is some good news. Canadian legislators and regulators such as Stoddart (2) want to tighten up Canada’s laws to offer better protection for consumers’ personal data. Also, US-originated standards and regulations such as PCI-DSS (Payment Card Industry-Data Security Standard) and the US government’s Sarbanes-Oxley Act (SOX) are resulting in tougher security at Canada’s largest firms.

According to the Canadian Anti-Fraud Call Centre, ID theft losses in Canada have been falling in recent years. In 2006, there were 14 332 Canadian victims, who incurred losses totaling C$15.76 m (£8.74 m). In 2008 , there were 10 327 Canadian ID theft victims, costing C$9.54 million (£5.3m).

Privacy laws

Canada lacks a law criminalising ID theft. A bill that would have made it an offence to harvest or gather identities in order to commit ID theft, even if no fraud actually occurs, was presented to parliament in 2007 (3).

“It’s not currently illegal to prepare to commit ID theft in Canada”, says Steve Johnston, co-chair of IT security association (ISC)2’s Advisory Board, Americas. “The October 2008 Canadian federal election killed the ID theft bill, but it will likely be re-introduced in the current session of Parliament.”

Under Canadian law, organisations are not required to disclose customer data breaches. “Canada’s privacy laws, such as the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which governs commercial organisations, and the Privacy Act, which regulates federal government agencies, are toothless”, says Bruce Cowper, Microsoft Canada’s chief security advisor. “Many Canadian firms have yet to start to think about PIPEDA, let alone comply with it.”

Johnston says the Canadian government wants to add wording to PIPEDA that would force firms to disclose any data breaches. “This was one of the recommendations for amendments to PIPEDA that the government accepted when the Act was reviewed”, he says.

Fiaaz Walji, Canadian Country Manager at US website filtering firm Websense, says that, as Canada’s data privacy and data security laws have no real force, Canadian organisations lag behind the US in their implementation of IT security. “The worst that can happen if a retailer violates PIPEDA, is that it would be served with a notice from the Privacy Commissioner’s office”, he says. “US privacy laws are much more draconian, which forces firms to have strong IT security.”

Andy Truscott, director of accounting firm Accenture Canada’s security practice, doesn’t think it is essential to add stringent penalties for non-compliance to Canada’s data protection laws. “The fact that Stoddart has issued a notice saying a firm is non-compliant actually hurts that firm far more than the payment of a fine, as the notice will erode customers’ trust in it”, he says.

Heather Ormerod, a spokesperson for the federal Privacy Commissioner, says firms can be taken to the Federal Court of Canada if they refuse to address complaints that they have infringed PIPEDA. “The Court can order a firm to correct any practices that don’t comply with the law, and to publish notices of how it has or will correct its practices”, she says. “The Court can also award damages to the complainant. Normally, any complaints can be resolved without legal action, however.”

Websense’s Walji says that some Canadian firms are preparing for the day when the government may introduce stronger data privacy laws. “Stoddart has been very critical of the lack of compliance with PIPEDA, so maybe the government will introduce stiffer penalties”, he says. “Canadian firms are beginning to say: ‘if we suffer a data breach, it will be a PR nightmare for us, so it is better to think ahead and get strong data protection systems in place.’”

Consumer concerns

In June 2008, CA Canada, a subsidiary of US enterprise software firm CA (Computer Associates), found that only 7% of Canadians surveyed were “very confident” in the ability of Canadian retailers, government agencies and banks to protect their personal information.

Of the three types of organisations, Canadian retailers fared the worst, with 0.5% of consumers saying they were very confident retailers can protect their customers’ online personal information. Only 9% of Canadians were very confident that large financial institutions can protect online customer information, and 12% of respondents were very confident that Canadian federal and provincial government bodies can protect online personal information.

Only 36% of Canadian IT security executives surveyed by CA said they were very confident in their organisation’s ability to protect itself against losing customer or transaction data.

According to an April 2008 survey by Canadian market research firm The Strategic Counsel, 86% of large Canadian organisations suffered an identified security attack or breach in the year leading up to April 2008, compared to 82% in 2006 and 67% in 2003.

Ottawa-Ontario divide

“Canadian firms won’t take you seriously if you only have clients in Canada, even if they are government-sector clients.”
Bill McGee, Third Brigade

There is a view that Canadian IT security vendors wanting to focus primarily on the federal government sector must be headquartered in Ottawa, Canada’s capital, and vendors focusing on commercial companies tend to be based in Toronto.

Bill McGee, vice president of Ottawa-based IT security firm Third Brigade, says it doesn’t matter whether vendors are based in Ottawa or Toronto. “To succeed in Canada, you need to have commercial clients, and you also need to have commercial clients outside Canada, for example the US”, he says. “Canadian firms won’t take you seriously if you only have clients in Canada, even if they are government-sector clients.”

Michael Legary, chief innovation officer at Winnipeg-based IT security consultancy Seccuris, says the Communications Security Establishment Canada (CSEC), the cryptologic authority for the Canadian government, and the RCMP have little influence on the private sector, except in the field of encryption. “Any Canadian civilian organisation that encrypts its data must follow Canadian government regulations on encryption, although there is no backdoor to civilian encryption programmes for Canadian law enforcement”, he says.

“CSEC participates in organisations that develop standards for IT security within Canada and internationally”, CSEC spokesperson Adrian Simpson says. “It doesn’t play a role in assisting non-governmental organisations, but could help when the data or information infrastructure involved is deemed to be of importance to the Canadian government.”

Web-delivered malware

Microsoft’s Cowper says provincial Canadian governments such as British Columbia (BC) and Alberta are providing web security awareness training for their employees. “I participated in November 2008 in the BC government’s web security training week”, he says. “It has a big focus on enabling staff to work from home, and has invested in the necessary communications technology. But it realises home-based staff will be using all sorts of social networking sites on their home PCs. So the government wanted to educate its staff about the risks of sites like Facebook.”

David Loukidelis, the BC Information and Privacy Commissioner(4), says the BC government is very security-conscious. “It requires all removable devices, such as portable drives, to be encrypted,” he says. “If I work from home, I have to use a PC supplied by my office to connect to the government’s wide-area-network, not my own home PC.”

Cowper says Canada is a big target for malware writers. “Microsoft’s malware detection systems saw a 40% increase in the amount of malware targeting Canadian computers between the first half of 2007 and first half 2008”, he says. “This is partly because Canada is a target for cyber-crooks, and also because of the amount of time that Canadians spend online and because of what they do online.”

Social networks such as Facebook are hugely popular in Canada. Around 70% of the Canadian population belongs to social networks, and Toronto has the biggest Facebook user group in the world.

“The problem with Facebook is that users have a false sense of security and trust in other members, Cowper says. “Facebook has become a major malware delivery system in Canada. People usually know not to click links in emails, but if someone posts a link to a game onto their Facebook page, they will download the link, because they trust other Facebook users. This link could result in a Trojan being downloaded to the user’s PC.”

Cowper says many Canadian firms allow their staff to access social network sites in office hours from their work PCs. It can be a competitive advantage to offer personal internet access to staff, as this may attract people to work for firms with such a policy.

In 2008, Scotiabank, one of Canada’s top five banks, decided to set up a global social network for its staff using Microsoft security technology. “Scotiabank realised its staff would use Facebook or Linkedin to chat with other Scotiabank staff around the world or in Canada”, Cowper says. “So it set up its own secure network which would allow them to carry out social networking, but without the malware risks associated with Facebook.”

The network, which includes blogs and wikis which staff can use to share their knowledge or information, is based on Microsoft’s Office SharePoint Server 2007 software.

“Canada is very different from US in terms of business distribution”, David Senf, an IT security analyst at research firm IDC Canada, says. “Canada is an SME (small and medium-sized enterprise) weighted market, with fewer large corporates than in the US.”

“Canadian SMEs lack the specialised resources needed for IT security”, says Michel Lambert, president of the Quebec branch of international professional association ISACA (Information Systems Audit Control Association). “In terms of risk management, SMEs are much less formal than big firms. SMEs will address a security problem when it occurs and sort it out, but they will live with problems as long as they can before finally fixing them. They don’t do risk assessments in advance, partly due to a lack of IT security professionals working in SMEs.”

IT security market

In 2008, the overall Canadian IT market, not including staffing, was worth the equivalent of £49.78 bn, says Jonathan Penn, an analyst at US research firm Forrester Research. “This covers all types of IT”, he says.

Penn estimates the total Canadian IT security market in 2008 minus staffing was US$1.87 billion. He says all the Canadian firms he surveyed use anti-spyware and anti-spam software.

“There is headroom in the website filtering market”, Penn says. “In the US and Canada, only a third of firms we surveyed actually use web filters to protect their employees when they are browsing websites on office computers. But big firms as well as smaller firms use firewalls and anti-virus programmes.”
Data protection is the number one priority for Canadian firms, for example telling staff that they can’t write data to a USB device unless they encrypt the files being transferred, Penn says.

Key Drivers

Two factors have acted as drivers to force Canadian businesses to tighten up their IT security systems: PCI-DSS, and SOX.

"SOX aims to provide accuracy of financial reporting, and was introduced following accounting scandals at US firms such as Enron”, says James Quin, an analyst at Canadian research firm InfoTech. “Senior execs are individually and corporately liable under US criminal law for false accounting. So corporates have to prevent people from inappropriately accessing a firm’s financial records and altering or stealing the data.” This requirement has an enormous impact on corporate IT security systems, as all IT procedures have to be documented, and individual staff may be liable if data breaches that violate SOX occur.

“SOX applies to all publicly-traded Canadian firms that are registered with the US Securities Exchange Commission - effectively, those listed on US stock exchanges”, Gordon Braun-Woodbury, national director, Communications at accounting firm KPMG Canada, says.

PCI-DSS, a global set of mandatory security practices for any organisation that stores, processes or transmits payment card information, applies to any Canadian company, organisation or government department, says Ali Afshari, a security specialist at Cisco Canada, a subsidiary of US networking technology vendor Cisco. Although it is early days for PCI compliance in Canada among retailers, the banks, credit card issuers and transaction processors are already compliant, Afshari says.

The 12 steps involved in PCI compliance are a good general IT security framework for any organisation, says IBM Canada security architect Gary McIntyre. “Canadian firms that failed to achieve PCI compliance would not likely get disconnected from the card networks, but they would face stringent financial penalties from Visa or MasterCard”, he says.

Michael DeSal, Visa Canada’s data security manager, says Visa is seeing progress in PCI compliance among Canadian third-party service providers - firms that provide payment card services to merchants and banks. These include internet payment gateways, website hosting companies, firms that process card payments for retailers, and call centres that handle card payments for retailers.

“Retailers and banks are putting pressure on service providers to comply with PCI”, DeSal says. “The way we have structured the liability for PCI non-compliance is that, if a service provider suffers a data breach, then it is the retailer which gets fined. So retailers are updating their contracts with service providers to ensure that the third-party firm is PCI compliant.

Accenture’s Truscott strikes a contrary note. He says Accenture has found that some smaller multi-store Canadian retailers are saying: ‘The cost of complying with PCI is greater than the penalties we would incur if found to be non-compliant.’ “They are doing a cost-benefit analysis and saying that it is more important to protect their payroll than to protect their customers’ data,” Truscott says. “But the big Canadian retailers are now PCI-compliant.”

Sun Life of Canada
Canadian insurer Sun Life Financial has robust IT security policies in place, CIO Carol Osler says. “We’re subject to the same security threats as any other large financial institution”, she says.

Sun Life’s security policies are driven by legislation and international standards, such as HIPAA (Health Information Portability and Accountability Act) for its US business; PCI-DSS; ISO (International Standards Organisation) IT security standards; PIPEDA; and SOX.

“PCI-DSS is not a major issue for us in Canada, as the vast majority of our customers don’t pay by card for their policies, but use cheques or bank transfers”, Osler says. “We are PCI-compliant, and, anyway, the security practices mandated by PCI are essentially what any organisation should adhere to.”

While not legally bound to disclose data breaches, Sun Life does have an official policy that, if any customer data is breached, it will immediately alert the affected customers. “We don’t issue notices to the press, for example to national newspapers,” Osler says.

Sun Life has a multi-pronged approach to data breaches, according to Osler. “We have proactive teams embedded in the firm whose role is to test our systems and applications for any known vulnerabilities, exploits, and coding deficiencies as well as inadvertent coding errors”, she says. “They have an ongoing role to search out any potential data breaches. We also have teams which investigate any reported breaches, and then set in place the necessary communications with our customers.”

Osler says Sun Life tests the security of its data communications links with its third-party vendors and service providers, and will also, when necessary, test the security of any third-party suppliers’ own applications and systems. “We may outsource a software application to a third-party, or we may give a contract to a business process supplier to run a particular claims process. But we won’t sign a contract with any third-party until we’re satisfied their security matches our standards.”

 

CIBC data breach case
As part of a server consolidation project, CIBC, one of Canada’s top five banks, transferred files belonging to its Talvest Mutual Funds subsidiary from Montreal to its Toronto-area computing centre in December 2006.

The files of 470 752 accounts of current and former Talvest clients variously contained client names, addresses, signatures, dates of birth, bank account numbers, beneficiary details, and social insurance numbers.

Officials decided the amount of data being transferred was too large to permit a transfer over an internal network, which was CIBC’s normal practice.

CIBC decided to copy the files onto two identical disk drives – one to be sent by land, the other by air.

While the air-shipped package arrived without incident, the land-shipped package was opened and found to be empty. There was no sign the empty package had been tampered with.

CIBC alerted both the federal Privacy Commissioner’s Office and the police after a thorough search failed to turn up the drive. The Office filed a complaint against CIBC for breaching PIPEDA.

Elizabeth Denham, the Assistant Privacy Commissioner, found that the complaint was justified, but said she was satisfied with the measures taken by CIBC to resolve the complaint. She also recommended that CIBC “research the available application software offerings on the market with a view to incorporating into its network one that would enable it to determine whether, when, and by whom copies of data onto portable storage devices are made.”

Source: Case summary provided by the Privacy Commissioner’s Office.

 

Identity Theft

Based on complaint date

January 1 to December 31, 2008 January 1 to December 31, 2007
Canadian Victims 11 091 10 327
Canadian Victims - Dollar Loss (CDN) C$9 542 363.66 C$6 447 099.75

Source: PhoneBUSTERS Canadian Anti-Fraud Call Centre

Royal Canadian Mounted Police

References:

  1. www.privcom.gc.ca
  2. www.privcom.gc.ca/speech/2008/sp-d_081106_e.asp
  3. canada.justice.gc.ca/eng/news-nouv/nr-cp/2007/doc_32178.html
  4. www.oipc.bc.ca/pdfs/public/OIPC-Role-and-Mandate.pdf

Sources:

What’s hot on Infosecurity Magazine?