Contenu connexe Plus de NetSquared Vancouver (20) Alejandra Brown: Introduction to privacy and overview of privacy and data residency rules that apply to BC nonprofits.2. Privacy and Data Breaches
© 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
3. Something in Common?
© 2019 Kirke Management Consulting. All Rights Reserved - Private and Confidential
• Large and well-known organizations
• Strong reputations…
… until they didn’t
• Breaches could have been avoided
4. 2018 Breach Examples
© 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
Jul - Oct2019 Jan - JunJul - Dec2018 Jan - Jun
Marriott
Starwoods
500MM records
2020
Ontario Cannabis
Store notifies of a
breach through
Canada Post
4.5K records
Air Canada through
mobile app
1.7MM records
BMO and Simplii
90K records
Under Armour
MyFitnessPal
150MM records
Facebook – Cambridge
Analytica
87MM records
Facebook exposed
sensitive data
29MM records
Facebook exposed
sensitive data
100MM+ records
Desjardin’s employee
exposes data of
2.9MM individuals
Capital One
records exposed
in US and Canada
5. NFP Privacy Breaches
https://www.vancourier.com/alleged-hiv-aids-privacy-breach-could-become-class-action-suit-1.23811118 https://www.oipc.ab.ca/media/993856/P2019_ND_014_008114.pdf
© 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
Emergency backpack with first aid supplies and children’s information was left at a playground
King Edward Child Care Society Edmonton AB - Sep 2017
Human error caused donation history to display on their new online donation system
The information breached included name, email address and donation amount
JDRF – Mar 2018
• Excel file with employee info sent through email, unprotected
BC HIV/AIDS NFP privacy breach could become a class action lawsuit - 2019
• Tax forms were made accessible through search engines
Legal Aid Society of Orange County – Jan 2017
6. © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
7. It is a Hyper-connected World
© 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
8. Global Privacy Regulations
© 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
Canada
• Federal
• PIPEDA (private sector)
• CASL – Anti-Spam
Legislation
• Provincial (BC, AB, QC)
• PIPA (private sector)
• FIPPA (public sector)
USA
• HIPAA
• CCPA
• COPPA
• CalOPPA
EU
• GDPR (2018)
• E-Privacy Regulation (TBD)
9. Privacy vs Security
• Privacy focuses on governance
around use, disclosure and retention
of Personal Information
• Security is concerned with measures
to restrict access and protect
Personal Information during
collection, storage, and transmission
© 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
10. Importance of Privacy for NFP
© 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
NFPs interact with different stakeholders
- Donors/ funding contributors - Volunteers
- Employees - Clients
NFPs may require managing very sensitive information:
- Examples – immigration status, health status, financial position and contributions
When data is managed there is always data loss risk
- Losing data may prove damaging to the affected individual
MOST IMPORTANTLY
- NFPs reputation and brand identity are paramount to main objective (fund raising)
- Public shown to be less forgiving of NFPs when it comes to trust
11. © 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
Human Error
• Collection of donations and credit card info
• Storage, transfer and disclosure of employee, donor, volunteer or client
info
• Storage of PI on digital assets (e.g. laptop, smartphones, USB sticks) or
any other unsecured environment
• Disclosure of PI to third parties and/or too broadly within the organization
• Lack of awareness of privacy obligations, what constitutes a breach &
what to do if one takes place
Common Areas of Vulnerability
12. Effective Privacy Program
Understand regulations that apply to organization
Have a designated CPO
Have clear and simple policies around Privacy, including a Privacy Notice on the official website
Keep Privacy principles in mind for new campaigns, processes or initiatives – especially for Digital
Marketing
Ensure 3rd party contracts have clear Privacy provisions
Educate employees and relevant stakeholders on the their obligations – provide regular training
Ensure that questions, gaps, complaints are easily funneled to the CPO
Have an Incident Management Protocol in place
Review Privacy practices periodically
Ensure cybersecurity coverage is included as part of insurance
Ensure PI is identified and protected – include IT security measures
© 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
13. Privacy Notice and Principles
© 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
Privacy
Notice
Identify what PI you collect, use and share
Describe what protection you us on PI
Share where you store PI and who has access to it
Provide a contact for anyone with questions or concerns
Privacy
Principles
Request consent where necessary
Limit use of PI
Share only on a "need-to-know" basis
Create awareness in the organization – keep privacy top of mind
Be accountable, respond quickly to issues and take responsibility
14. Where Do We Go From Here?
Determine what is your level of Privacy maturity
Assess your risk and current gaps
Adopt “quick-wins”
Appoint a CPO
Create or review privacy policy
Train employees, volunteers on privacy practices and their obligations
Identify IT security areas of risk
Include appropriate disclaimers in your e-Newsletter sign up form
Establish an incident response procedure
Bring in experts when required
© 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
15. Resources
• Privacy tools - https://kirke-consulting.com/tools/
• Privacy checklist for NFPs - http://www.charitycentral.ca/wp-
content/uploads/privacy-en.pdf
• Privacy concerns for NFPs -
https://www.techsoupcanada.ca/en/community/blog/privacy-and-
data-concerns-for-nonprofits
© 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
16. Thanks!
Ale Brown – abrown@kirke-consulting.com
© 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
17. About Kirke
© 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
Strategy.
Transformation.
Results.
We are a strategy consulting firm that enables business growth and minimizes corporate risk. We
believe that safeguarding personal information has become paramount in a rapidly expanding digital
world, therefore we help organizations gain relevant data insights to build tighter relationships with
their customers, all within a strong privacy management framework. This results in increased brand
recognition, improved reputation in the industry and trust within their customer-base.
http://www.kirke-consulting.com/ contact@kirke-consulting.com
Notes de l'éditeur Privacy – all areas of the organization are responsible for this
Security – responsibility falls mostly on IT When disclosing data, make sure a) you are letting individuals know that you share the data (even if it is internally) and obtain their consent; b) you have the appropriate 3rd party agreements in place – if they have a breach, you ultimately have responsibility too; c) ensure internally the data is not propagated beyond the original group you share it with (be the central point of contact) – the more disseminated, the higher the risk Don’t forget CASL for Digital Marketing We will share a privacy questionnaire that shows where the risks lie
Incident response