PIPEDA Privacy Act Amendments Now Law in Canada


The long awaited amendments to The Personal Information Protection and Electronic Documents Act (PIPEDA), called the Digital Privacy Act,  received Royal assent on June 18, 2015. Bill S-4 is now law in Canada.  Although Cabinet has not yet proclaimed the Act’s breach reporting provisions in force, Canadian businesses should be preparing to comply with them.

An Organization’s Obligations

There are now three breach reporting requirements “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” as follows:

  1. Reporting to the Privacy Commissioner;
  2. Reporting to the individual;
  3. Reporting to agencies that can reduce harm to the individual.

Significant Harm

In this context significant harm is now broadly defined and “includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property”.

Consequences for non-Compliance

The Commissioner’s office may disclose information about an organization’s personal information (PI) management practices to the public if it believes disclosure to be in the public interest. The Commissioner’s office can enter into compliance agreements with organizations that it believes are, or may be, subject to breaches. Anyone who knowingly contravenes these requirements is subject to a penalty of up to $10,000 on summary conviction or $100,000 on indictment.

What does this mean in the context of cyber risk management?

It is now a requirement of Canadian organizations to report cyber breaches which may cause “significant harm” as described above to report them both to the Privacy Commissioner and to the individual(s) affected. They may also be required to notify other organizations, such as law enforcement, should damage caused by the breach potentially be mitigated.

More than anything else, this development will substantially increase awareness of the extent cyber breaches involving personally identifiable information are occurring in Canada. As a result organizations of all sizes and sectors will now be more likely to take this important subject much more seriously. Not only may financial penalties be levied, considerable damage to the organization’s reputation may result as a result of public notification and disclosure.

By Doug Blakey, B. Math

President, Watsec Cyber Risk Management (watsec.com) and Director, Canadian Centre for Cyber Risk Management (C3RM) (c3rm.org)


Protecting Yourself from Ransomware

Cyber security experts recently warned that ransomware attacks may be on the rise. This type of malware actually encrypts your data and then requires you to pay a fee in order to access it. With ransom sums often amounting to thousands of dollars, consider taking these simple steps to protect yourself from ransomware:

  • Use trustworthy anti-virus software and make sure it is up to date.
  • Enable automated updates of your operating system and browser.
  • Only download software from trusted sites.
  • Never open attachments in unsolicited emails, even if they come from people in your contacts.
  • Never click on a link in an unsolicited email.
  • Make sure to back up your data regularly and store it offline.


© Zywave, Inc. All rights reserved.

Speech Recognition is NSA’s Best-Kept Open Secret

Source: The Intercept

Siri can understand what you say. Google can take dictation. Even your new smart TV is taking verbal orders.

So is there any doubt the National Security Agency has the ability to translate spoken words into text?

But precisely when the NSA does it, with which calls, and how often, is a well-guarded secret.

It’s not surprising that the NSA isn’t talking about it. But oddly enough, neither is anyone else: Over the years, there’s been almost no public discussion of the NSA’s use of automated speech recognition.

One minor exception was in 1999, when a young Australian cryptographer named Julian Assange stumbled across an NSA patent that mentioned “machine transcribed speech.”

Assange, who went on to found WikiLeaks, said at the time: “This patent should worry people. Everyone’s overseas phone calls are or may soon be tapped, transcribed and archived in the bowels of an unaccountable foreign spy agency.”

The most comprehensive post-Snowden descriptions of NSA’s surveillance programs are strangely silent when it comes to speech recognition. The report from the President’s Review Group on Intelligence and Communications Technologies doesn’t mention it, and neither does the October 2011 FISA Court ruling, or the detailed reports from the Privacy and Civil Liberties Oversight Board.

There is some mention of speech recognition in the “Black Budget” submitted to Congress each year. But there’s no clear sign that anybody on the Hill has ever really noticed.

As The Intercept reported on Tuesday, items from the Snowden archive document the widespread use of automated speech recognition by the NSA.

The strategic advantage, invasive potential and policy implications of being able to turn spoken words into text are not trivial: Suddenly, voice conversations, historically considered ephemeral and unsearchable, can be scanned, catalogued and archived — not perfectly, but well enough to dramatically increase the effective scope of eavesdropping.

Former senior NSA executive turned whistleblower Thomas Drake, who’s seen NSA’s automated speech recognition at work, says the silence is telling.

“You’re seeing a black hole,” Drake told The Intercept. “That means there’s something there that’s really significant. You’re seeing some of the fuzzy contours of this whole other program.”  Read full article >>