Reducing Risk and Fostering Breach Resilience via Privacy by Design
This article is part of our Cybersecurity Blog Series, which is intended to provide readers with a 360° view on cybersecurity. To view other blog posts in the series, please visit Cybersecurity Blog Series from McCarthy Tétrault’s Cyber/Data Group
Data incidents are an increasingly common risk of carrying on any data-involved business. However, the practical and legal risks of these incidents can be managed through holistic, multi-stage planning: planning what to do in the event of a breach, and planning a system that minimizes the possibility of a data incident, makes it easier to manage and contain such an incident, should one occur, and reduces the risk of legal liability stemming from such an incident.
Adoption of the “privacy by design” approach can help to achieve this.
Below, we address the role of privacy by design principles in reducing the risk of a data incident. We explain the role these principles can play in reducing practical and legal risk, and outline a few examples of incorporating proactive and end-to-end data protection as a form of legal risk reduction. For an in-depth discussion of planning for breach resilience, see Cybersecurity Risk Management: A Practical Guide for Businesses.
Privacy by design principles
Seven principles[1] are commonly referred to as foundational to building privacy by design: (1) design should be proactive, not reactive; (2) privacy as the default in planning; (3) privacy as embedded in design; (4) privacy can be accommodated with other interests in a positive-sum manner; (5) privacy should extend throughout the full lifecycle of the data involved, from end-to-end; (6) visibility and transparency are part of design; and (7) privacy design should be user-centric. For the purposes of this discussion, we focus on two principles: (1) proactive design, and (5) end-to-end security aimed at building full lifecycle protection.
Proactive measures in privacy by design play an important role in reducing the risk of a privacy incident altogether by ensuring an organization is taking a risk-focused approach to deciding what data to collect and to retain. The principle is defined as follows:
The Privacy by Design (PbD) approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred — it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.
End-to-end security in design, in turn, reduces risk by ensuring data security is consistently maintained and its strength regularly assessed. As the principle describes:
Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved — strong security measures are essential to privacy, from start to finish. This ensures that all data are securely retained, and then securely destroyed at the end of the process, in a timely fashion. Thus, Privacy by Design ensures cradle to grave, secure lifecycle management of information, end-to-end.
The Pay-off: Reduced Risk
The first few hours after a potential data incident has been identified are critical, and they can be quite hectic. Step one in an incident response plan will be to contain the incident. Soon after that will come the job of assessing what has happened and what data has been compromised. Fortunately, systems designed to implement end-to-end security and full-lifecycle protection will provide tools to make this easier.
- You will know what data you have, where they are stored, and how they are protected.
- Your data collection and retention practices will reduce the likelihood that you have large pools of unnecessary data that may have been forgotten and poorly protected.
- Your system will implement access controls and logging, helping you to understand how your data has been accessed, and by whom.
- You will have internal controls to prevent compromise of one system or interface from being leveraged to access your entire network.
All of this will help you respond faster, make your systems more resilient, and reduce your exposure in the event of an incident.
The privacy by design principles are also reflected both in legal principles governing businesses[2] and in regulatory decisions affecting business interests. The privacy by design principles help an organization to meet its obligations under PIPEDA principles 4 (Limiting Collection), 5 (Limiting Use, Disclosure and Retention) and 7 (Safeguards), for example. Adoption of these principles will therefore also help to achieve good regulatory outcomes.[3]
Cybersecurity Blog Series and Related Insights:
- Emerging Developments in Ransomware
- Getting Cyber Insurance Right: 5 Practical Tips
- Ransomware: avoidance and response
- Reducing Risk and Fostering Breach Resilience via Privacy by Design
- Preparedness and response planning best practices
- Landmark ruling: The Superior Court dismisses a class action over the loss of personal information in Lamoureux v. OCRCVM, 2021 QCCS 1093
- Protecting Legal Privilege in a Data Breach Response
- IIROC Publishes Notice Regarding Ransomware Attacks
To learn more about developing a cybersecurity strategy and an incident response plan, download a copy of our Cybersecurity Risk Management: A Practical Guide for Businesses or visit the Cyber/Data homepage.
To learn more about how our Cyber/Data Group can help you navigate the privacy and data landscape, please contact national co-leaders Charles Morgan and Daniel Glover.
_____________________________
[1] Ann Cavoukian, “Privacy by Design: The 7 Foundational Principles”, Information and Privacy Commissioner of Ontario (January 2011).
[2] See Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, Schedule 1, Principles Set Out in the National Standard of Canada Entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96.
[3] See, e.g. “Online service provider that suffered a breach had appropriate safeguards in place”, PIPEDA Report of Findings #2014-004 (23 April 2014).