The risk of a privacy breach is a very real possibility for many organizations, including charities, and the consequences can be severe. The following headlines demonstrate that no organization is exempt.
B.C. woman shocked to find private medical information of 10 other people in file
A Calgary liquor store paid a ransom this week to regain access to its computers after hackers infected its database with a virus — and even got an unofficial receipt thanking it for its involuntary "purchase.
It’s still unclear if personal data on an unencrypted hard drive missing from the BC Ministry of Education has been used by anyone.
Family services sued after personal info hacked, posted on Facebook
As many as 8,300 patients had contact information turned over to private RESP companies by employees
Despite these headlines we know that many breaches are not reported and organizations are often caught off guard. According to the SC Magazine, about 77% of organizations are unprepared for cyber-security incidents. They quietly go about repairing damage and strengthening security; unbeknownst to the individuals who may be affected. For others, it is only when hearing news of a breach at a neighbouring organization that questions arise about the effectiveness of controls and security of information and systems.
This will all change when the mandatory breach reporting requirements included in the new Digital Privacy Act (Bill S-4) comes into force. The Digital Privacy Act amended Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). A number of important changes to PIPEDA to strengthen privacy protection came into effect in 2015.
Regulations for mandatory data breach reporting are in process with no effective date announced. It is important to note that once mandatory reporting is in place, failure to meet requirements will carry fines of up to $100,000.
In my experience charities are particulary vulnerable. The pressure to minimize administrative expenses and funnel all revenue into service delivery often means there is little left over to invest in technology. Particularly in smaller organizations, technology infrastructure is often cobbled together and heavy reliance is placed on the one “IT person” to fill a myriad of roles; from IT strategist to help desk support.
To minimize the risk of data breaches, avoid the negative headlines and ultimately comply with emerging regulations, charities will want to implement a systematic approach that provides assurance that risks to the information that they collect and store and the systems that hold that information are being addressed.
Implementing the following 5 steps will provide valuable information on the level of vulnerability of a data breach:
- Formally define the objective
- Identify and prioritize risks to achieving the objective
- Evaluate risk treatments
- Close the gaps
- Review and Refresh
A discussion of each of these steps follows.
1. Formally define the objective
The first step is to formally define an objective related to data privacy and security. Although this may seem obvious, it may come as a surprise that many organizations have not done so.
Often attention and resources are focused on value creation objectives. They are aptly named, as they create value for the organization when achieved. Common examples relate to:
- Improving quality of service delivery
- Increasing revenue
- Reducing wait times for service
Less familiar are those objectives that strive to preserve or prevent the erosion of the value of an organization. Although there are often no accolades or celebration for achieving these objectives; if not realized, they can cost money, expose the organization to fines and penalties, damage reputation and may even have catastrophic consequences as could be the case with the organizations in the headlines noted above.
These objectives often address such areas as:
- Health and safety compliance
- Integrity of financial reports
- Compliance with legislation
- Protecting assets
- Preventing fraud
We can see that objectives in any of the above areas, if not achieved present considerable risk to an organization and have the potential to erode value.
Similar to the areas mentioned above objectives related to data privacy and security would also fall into the category of value preservation. Objectives may be developed for any of the following areas:
- Safeguarding personal and confidential data
- Protecting information systems from unauthorized access
- Ensuring full compliance with all privacy legislation
Although many organizations may informally acknowledge the importance of value preservation objectives, often they not formally established, managed and monitored. Formally articulating objectives that relate to the security and safety of information and technology increases the chances they will be achieved. An important step in establishing the data security objective is to ensure an owner accountable for action is assigned.
To demonstrate the following steps we will use the following example of a value preservation objective for data security:
“Prevent unauthorized access to all information technology systems in 2017.”
2. Identify and prioritize risks to achieving the objective
To achieve an objective it is necessary to understand what can get in the way of success. Anticipating the risks helps organizations to understand what could go wrong and how to get the organization back on track.
As risks are identified, it is necessary to prioritize them based on likelihood and impact. This is critical to ensuring that scarce resources are focused on the highest priority risks. The two questions to ask are:
- What is the likelihood that this will happen?
- What is the impact to the organization if it does?
A number of basic risks readily come to mind when we think about our objective above; “Prevent unauthorized access to all information technology systems in 2017.”
- The wrong people have access to information systems
- Information systems are not protected
- Users can modify or delete data
As we apply the two basic questions to the risk examples, we may conclude that likelihood may be high and any breach to systems or the data will have a significant impact. Avoid the temptation to be lulled into a false sense of security with rationale that your organization is too small to bother or that you have nothing of value.
According to Richard Wilson, partner, cyber security and privacy practice, PwC Canada: "Canadian business and public sector leaders need to better understand the full range of impacts a cyber security breach can have on their organizations. This issue has evolved far beyond data loss. Beyond financial and reputational damages, we are seeing impacts to competitiveness, product and service quality, employee retention, and the health and safety of both employees and the public."
3. Evaluate risk treatments in place
Risk treatment is a term used to describe the action that the organization takes to control the exposure to risk. The most common types of risk treatments are: avoid, transfer or share, accept, or implement controls.
- Avoiding the risk involves stopping the activity that is creating the risk. For charities this may mean stopping service. Not a realistic option if the mission is to be achieved.
- Transfer or sharing risk is when the organization gets someone else to fully or partially accept the risk. Examples include purchasing insurance or sharing risk with another party.
- Risk acceptance is when an organization accepts the risk. This happens informally all the time, as organizations recognize a risk and move forward without taking any action. Whether acknowledged or not, the risk has been accepted.
- Implementing controls are actions that the organization takes to reduce the level of exposure to the risk. Actions can include staff training, policies and procedures, reviews, approvals, supervisor sign offs, completeness checks, etc.
Assessing and determining the appropriate risk treatments to address priority risks provides an organization with the information they need to close the gaps.
Continuing with our example, risk treatments may include a number of measures such as:
- Implementing access and permission controls such as ensuring users access is approved on a “need to know” basis
- Partnering with IT service providers that detect and monitor security
- Educating users on appropriate security protocols
- Regular evaluation of qualifications and competencies of IT staff
- Purchasing cyber security insurance
- Implementing retention and destruction policies to ensure personally identifiable information is not kept longer than necessary
4. Close the gaps
With an understanding of the objective, the potential risk and risk treatments it is now time to take action to close any gaps. By taking action, the organization is increasing its chances of achieving the objective.
It is not only important to take action but to also ensure that the action taken to mitigate risks is effective. That means evaluating the activities to ensure this is the case.
Keep in mind that the only way to completely remove a risk is to avoid it. All other actions serve to reduce the risk but will not eliminate it. With that in mind, organizations need to understand the level of risk that continues to exist after action has been taken and if they can accept the remaining level of risk.
In our example above, perhaps we conclude that users are not as security aware as needed. In this case, a common response is to implement user training. We know that after receiving training there is still a chance that users will not follow best practices and a security risk remains. Organizations need to determine if they can live with the remaining risk or if additional steps need to be taken.
5. Review and Refresh
At least annually, or when major change occurs, objectives, risks and risk treatments need to be reviewed. Change is constant. This is particularly relevant in the field of technology where information security continually needs to address new and emerging threats.
Objectives may need to be revised and risks to achieving the objective will change. Risk treatments also need to be continually reviewed to make sure they are working and reduce risk to an acceptable level.
Implementing these five steps will ensure that value preservation objectives, such as those needed to protect data and information systems, are managed and dire consequences for organizations are reduced.
Angela Byrne, president of Angela Byrne Consulting Inc., is passionate about helping organizations develop good structure and processes that manage risks and deliver results. She has extensive knowledge of charities and has worked with a number of organizations across Ontario. Angela is a Chartered Professional Accountant, Certified Management Accountant, Certified Internal Auditor and holds certifications in Information Systems Auditing and Risk Management Assurance. Angela welcomes thoughts and comments on this article by email to firstname.lastname@example.org as well as any questions she might address in future articles. You can also find her on twitter at @byrne_angela and on LinkedIn.