The CBC Radio segment has been archived and is only available from CBC by request.
Another in my series on CBC Radio鈥檚 Ottawa Morning. In this segment, host Robyn Bresnahan and I discuss the legal obligations of data holders in Canada.
Read about the situation that sparked this conversation on CBC News.
Reasonably Accurate 馃馃 Transcript
[00:00:00] Robyn: Greg Patterson is a commercial landlord in Ottawa.
He used to rent office space to a tech company that did I t work for other businesses.
But a little while back, the company ran into money problems.
It defaulted on its rent and then suddenly moved out.
When Greg Patterson inspected the abandoned office, he was greeted by items he did not expect to see.
Boxes filled with employee files, social insurance numbers and banking information.
Also dozens of hard drives and servers.
Patterson says he wasn鈥檛 sure what to do with the gear, so he recently gave them to an I T specialist, and he was shocked by what that specialist discovered.
So they did a quick revision on the drives and found a staggering number of files in the 10 million range on approximately 30 hard drives, which is baffling to me.
How could anybody leave these drives behind?
I don鈥檛 understand.
There鈥檚 a significant quantity of information on those drives that would be considered personal private.
A couple of different options, including providing them their information back.
Well, it turns out the hard drives and servers contain sensitive information belonging to the companies that had outsourced their IT. To the now defunct company.
So how common is the scenario, and who鈥檚 responsible for safeguarding the digital data that we give businesses?
Mark Nunnikhoven is the vice president of Cloud Research at Trend Micro, which is an Ottawa data security firm. He鈥檚 also our technology columnist here on Ottawa Morning.
Hello
[00:01:48] Mark: Morning.
[00:01:49] Robyn: How common is a scenario? A business outsourcing its IT to another company?
[00:01:50] Mark: That鈥檚 very, very common because a lot of businesses realize that they鈥檙e not in the business of running computers.
They鈥檙e in the business of selling clothes or making widgets or whatever that cases, so it鈥檚 often seen as a cost center that can easily push off to somebody else.
So this is why you see outsourcers at all scales, whether smaller, large are very, very common.
[00:02:09] Robyn: What do you make of this case in particular?
[00:02:12] Mark: It鈥檚 an interesting one, especially because, you know, it鈥檚 the landlord who鈥檚 coming forward and trying to do what鈥檚 right.
But it does highlight a risk is that when you outsource your I t.
You鈥檙e taking the data that you鈥檙e entrusted with as a business and relying on another company鈥檚 practices.
So that鈥檚 a challenge, because it鈥檚 still your responsibility.
Even though you鈥檙e outsourcing your I t operations, you鈥檙e still on the hook for it as a business.
[00:02:38] Robyn: You know, very personal data from from employees in that kind of thing.
Ultimately, it鈥檚 your responsibility, But鈥ut who could come back? That you know your your name is on there.
Your social insurance number.
Um, and you鈥檙e thinking, Well, hang on.
Why was this left in an abandoned place?
You could go back then and sue the company that has this information in the first place.
[00:03:13] Mark: Yeah, it鈥檚 challenging.
So, you know, the normal disclaimer comes around is that I鈥檓 not a lawyer, but the way I can walk you through it is is it鈥檚 a chain of relationship so if I entrust my information as a person to accompany.
So in this case there was political parties.
There were non profits.
So they鈥檙e gathering personal information.
Will say we were a donor to that nonprofit and we have our financial information with them.
They are responsible under Canadian legislation for the security and safety of that data from the time they have it to the time that they no longer require it.
So that鈥檚 called data retention Onda.
At the time when they no longer required anymore whether they have legal obligation to keep records for a while, they have to properly dispose of it.
So what happened in this case is that the outsourcer was managing the data.
But now there鈥檚 a new relationship created between the original company who we鈥檝e entrusted our data too.
That company and the outsourcer, but from us is the data the the data subject.
It鈥檚 our relationship with the original collector.
[00:04:17] Robyn: So what can organizations do to ensure that cos they鈥檙e outsourcing their i t to our are treating this data responsibly?
[00:04:24] Mark: So if that鈥檚 all part of the contract negotiation.
A part of your research when you鈥檙e going to these organizations and the challenge you have is a lot of the time.
Outsourcing is seen as that cost center, so its lowest bid wins.
And that might not be the best thing and in fact, the most efficient spend for the original business who鈥檚 looking outsource.
So you want to do your due diligence.
You want a research, you want to talk to existing customers.
You want to look at the track record, and you want to see the policies and procedures they have for managing the data that you鈥檙e going to be entrusting them with.
Because as a business, you need to take that ownership of people鈥檚 data very, very seriously, not just because of the legal implications in Canada, but also there鈥檚 a very real threat of identity fraud.
So in 2018 Canadians lost $21.2 million to identity fraud, and that was almost double from the previous year.
We鈥檙e expecting to see almost the same for 2019 statistics.
It鈥檚 a real problem.
[00:05:16] Robyn: What about the public themselves?
Is there anything that they can do?
Thio protect themselves from this because a CZ you say lots people, for instance.
I like your example of donating to a charity or something like that.
I don鈥檛 want to stop donating, necessarily because they fear where their their information may end up.
Is there anything that people can do to take this into their own hands at all?
[00:05:36] Mark: I think the easiest thing to do is question the information you鈥檙e giving over.
Ah, lot of the Times organizations will ask for more information than they necessarily need S o.
The best way to protect your information is not to be giving it out.
Left, right and centre.
Now, in general, that鈥檚 pretty reasonable.
In Canada, if you look at the U.S., they鈥檙e much worse.
As far as asking for Social Security numbers left, right and center in Canada, we tend to protect our sin, which is a really hard thing to change.
So question the information you鈥檙e giving over.
Ask to see their privacy policy.
That鈥檚 a requirement under Canadian legislation to be able to talk to somebody, to see what information is stored about you and how it鈥檚 being managed on dhe, then just keeping track of that sort of, in general.
So being aware that okay, I鈥檝e told certain people about this information and then monitoring your own accounts of looking, you know, for indicators of fraud which aren鈥檛 actually big changes to your finance.
It鈥檚 the little stuff we see.
Criminals will make minor transactions, like under $5 to see if they鈥檝e got a valid account on dhe, then go up from there.
[00:06:34] Robyn: I鈥檝e had that happen to me before.
Somebody in Salt Lake City buying a lot of fried chicken on my my British credit card.
Have you bean a victim of identity theft?
[00:06:42] Mark: I have. I travel quite a bit globally, and I鈥檝e probably five or six times.
My credit card over the last five years has been compromised mainly because of where I鈥檓 at.
I don鈥檛 have the normal protections in Canada were quite advances.
First chimp in a lot of really great anti fraud, which is why I actually have a secondary credit card I use when I鈥檓 traveling.
So if that one gets burned, it鈥檚 a pain.
But it鈥檚 not the end of the world.
[00:07:05] Robyn: Interesting. Well, lots of people, I鈥檓 sure in those shoes as well. Thank you, Mark.
[00:07:08] Mark: Thank you.
[00:07:10] Robyn: That鈥檚 Mark Nunnikhoven. He鈥檚 the vice president of cloud Research at Trend Micro and Ottawa data security firm, and he鈥檚 also our technology columnist.
