To print this article, all you need is to be registered or login on Mondaq.com.
Due to the global pandemic brought to you by COVID-19,
businesses and organizations are shifting their operations to home
work environments. Meanwhile, opportunistic cyber criminals are
capitalizing on the coronavirus to roll out a series of new scams
to collect sensitive information and steal money.
Widely reported examples include cyber criminals mimicking
reputable organizations such as the World Health Organization or
public health authorities to trick users to give up their email and
password credentials, or to download malicious software enabling
the attacker to gain access to the organization’s computer
systems. Cyber criminals are also mimicking tax authorities and
inviting individuals to click on a link to download fake refunds in
the wake of recent economic relief efforts.
No business or organization wants to be featured in the front
page news as the most recent cyber victim, or have to notify its
clients or customers of a security breach. We briefly highlight
what your organization should be doing to safeguard your system and
the personal information during your work from home protocol, your
organization’s statutory responsibilities in this regard, and
provide an example of how inadequate security safeguards increase
the risk of cyber-attacks and adverse decisions.
Statutory Obligations to Safeguard Personal
Businesses and organizations have a statutory obligation to
ensure that their information is safeguarded at all times,
including while accommodating remote working arrangements.
Private companies in British Columbia must at all times comply
with the Personal Information and Protection of Privacy Act, SBC
2003, c.63 (“PIPA“).
PIPA requires organizations to use reasonable physical,
administrative and technical safeguards to protect personal
information from unauthorized access, collection, use, disclosure,
copying, modification or disposal or similar risks.
Private companies located outside of British Columbia or in a
province or territory that does not have its own substantially
similar privacy legislation, and federally regulated organizations,
such as radio and television broadcaster and inter-provincial
transport companies, must comply with the Personal Information
Protection and Electronic Documents Act, SC 2000, c.5
requires businesses to, among other things, use security safeguards
that are appropriate to the sensitivity of the information to
protect personal information.
If you are a public sector organization in British Columbia,
such as a university, school, municipality, provincial government,
or a self-governing regulatory body, you are governed by the
Freedom of Information and Protection of Privacy Act
(“FIPPA“), also known as
FOIPPA which also requires organizations governed by that
FIPPA to protect personal information in its custody or
under its control by making reasonable security arrangements
against such risks as unauthorized access, collection, use,
disclosure or disposal.
Risks posed by inadequate safeguards and phishing
The Office of the Privacy Commissioner of Canada’s
(“OPC’s“) public report of findings into its
investigation of the security safeguards of the World Anti-Doping
Agency (“WADA“), demonstrates the risks
that inadequate security safeguards pose to both individuals and
organizations with respect to phishing attacks.
On August 4, 2016, WADA was the subject of a spear-phishing
campaign in which e-mails were sent to its employees purportedly
from its Chief Technology Officer. As a result, three employee
e-mail accounts were compromised. Shortly thereafter, the attackers
were able to access the Anti-Doping Administration and Management
In total, the personal information of 11,837 athletes’ were
accessed by the attackers. The attackers published the personal
information of 127 athletes of different nationalities online,
including their name, nationalities, date of birth, gender, sport
and highly sensitive personal information about prohibited
substances and underlying medical conditions. WADA subsequently
issued a press release confirming the breach and notified all
athletes whose information was published online.
The OPC found that although a number of technological, physical
and organizational safeguards were put in place by WADA to protect
personal information, they were not sufficiently robust to protect
personal information of such a highly sensitive nature. Inadequate
safeguards in the following areas either directly or indirectly
impacted the unauthorized access and disclosure of personal
- Access controls:
Password rests for new accounts were not an obligatory practice and
new passwords were not set to expire after a certain period of
time. WADA did not require two factor authentication to access
ADAMS, which would have been an additional security barrier to
prevent unauthorized access. There was also no system to flag or
notify users with respect to atypical account activity.
- Monitoring and
logging: WADA’s ability to detect anomalies and
intrusions in ADAMS and analyze logs from it were inadequate.
Although WADA procured more robust logging and analysis tools
following the attack, they were ineffective because they were not
adequately configured while the attack occurred.
- Policies, procedures and
training: WADA had inadequate policies and procedures in
place to give effect to the Information Security Corporate Policy
it had in place. They did not have an adequate privacy breach
response plan in place to ensure a quick, effective and orderly
response to the breach. WADA did not have a documented
risk-management framework to determine which security measures
would be appropriate for the risks it faced. There was also little
evidence of WADA communicating to its staff, through training or
other means, information about security awareness.
- Encryption: Although
WADA used encryption to protect data when it was being transmitted,
they failed to encrypt data at rest in ADAMS. As a result, such
data was vulnerable in the event their network was
The OPC recommended a variety of measures to augment its
security safeguards and protect the security of the sensitive
personal information under its control. WADA entered into an
agreement with the OPC and agreed to fully implement the
Tips for safeguarding personal information
The recent spike in phishing attacks and scams due to COVID-19
makes it more important than ever for organizations to consider
their obligations as custodians of personal information and ensure
adequate safeguards are in place to prevent and respond to phishing
and other cyber-attacks. Businesses and organizations are dealing
with enough challenges right now, and the last thing they need is
to deal with a cyber breach and the federal or provincial privacy
The Office of the Privacy Commissioner of British Columbia
provided several recommendations to protect personal information
when employees are working from home, including:
- Encrypt any electronic devices that
store personal information including home computers, USB drives,
laptops and cellular phones;
- Employees should not use their
personal e-mail as a means to transfer personal information for
work related purposes;
- Employees should logoff or shut down
their laptops or home computer when they are not in use.
Employees should not share a laptop used for business purposes
with other individuals, including family members. If employees are
allowed to use their personal computer for work- related purposes,
then organizations should partition each device with containers
using mobile device management software to ensure information used
for business purposes does not flow in the container for personal
computer use and vice-versa.
Mobile device management software can also be used to remotely
lock, access, erase data or retrieve backups as necessary. For more
information on “Bring Your Own Device” programs, review
the guidelines issued by the OPC.
Other useful tips for safeguarding personal information while
implementing a work from home protocol include:
- Ensuring employees are trained to
identify and report potential scams such as phishing.
- Ensuring employees regularly change
the passwords they use to access online services.
It is important to build awareness within your organization
about the increased risk of scams and phishing as a result of
COVID-19. Employees should appreciate that they are obliged to
report any cyber breach or potential breach without delay so that
your business and organization can mitigate and manage the
resulting risks, and obtain advice on their statutory obligation to
report to the appropriate Privacy Commissioner.
If there was ever a time to ensure that your organization has a
privacy breach response plan that prepares you for a quick,
effective and orderly response to a breach, it is now. It is
advisable to include a lawyer as part of your response team: this
not only ensures timely legal advice on issues such when to report
the matter to the applicable privacy commissioner, but also allows
your organization to maintain solicitor-privilege over the forensic
investigation and certain response steps which is important if
claims or complaints arise.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.