Saturday, January 03, 2004

Article: Nothing's sacred ... nor secret

Below is a link to an interesting article from San Francisco about the connection between security and privacy. The author describes some recent incidents that empasise the role of security in protecting privacy. The first incident shows how identity thieves may target inadequately secured computers that contain sensitive personal information: Nothing's sacred ... nor secret, with thanks to BankingInfoSec.com for the link.

An article in the Register.co.uk discusses lessons to be learned from the theft of a bank's laptop containing customer account information. Though it is pretty specific to the banking indsutry under California law, the author's conclusion is rather clear:

Companies ... should remember that they are mere fiduciaries of other people's money, information and privacy, and do the right thing to protect it in the first place. And they should notify consumers promptly if the information is compromised, and help their customers fix any problems that result from the potential breach. It may not be the law, but it's a good idea.

Under PIPEDA, organizations are responsible to safeguard pesonal information against accidental or malicious access, destruction or disclosure. There appears to be no obligation to inform customers about such a breach, the moral imperative is clear. In addition, disclosure will provide customers the opportunity to mitigate any harm that an accidental disclosure may result in.

No comments: