Firms missing steps to protecting digital personal information: Privacy commissioner

Frequently changing passwords, encryption among best practices

Canadian businesses are storing more and more personal information digitally, but many are not using the technological tools or implementing the recommended practices to protect this information, a new survey  commissioned by the Office of the Privacy Commissioner of Canada has found.

Companies are storing personal information on a variety of digital devices, such as desktop computers (55 per cent), servers (47 per cent) and portable devices (23 per cent). Three-quarters (73 per cent) are using some type of technological tool, such as passwords, encryption or firewalls, to prevent unauthorized access to the personal information stored on these devices, found the survey of 1,000 employers.

But many businesses may not be adequately using technology when it comes to protecting the personal information they store digitally, the office said.

For example, passwords are the most popular technological tool used by businesses to protect personal information with 96 per cent of employers using them. However, of those using passwords, 39 per cent do not have controls in place to ensure that those passwords are difficult to guess, and 27 per cent never require employees to change passwords.

"Using passwords is like locking your front door. They can be a very simple and effective way to protect valuable personal information," said Privacy Commissioner Jennifer Stoddart. "But simply setting a password is not enough to thwart today's savvy online criminals — passwords must to be complex and dynamic."

While nearly one-quarter of businesses are storing personal information on portable devices, such as laptops, USB sticks or tablets, almost one-half of those who do (48 per cent) do not use encryption to protect the information on these devices.

"Encryption is one step better than locking your doors — it is like putting information into a safe — and it can really help limit the risks if a laptop is stolen or a USB key is misplaced," said Stoddart. "Businesses that lose their customers' data, lose their customers' trust, so they need to take every precaution to ensure they safeguard personal information they hold."

The survey did find that more than three-quarters (77 per cent) of Canadian companies attribute considerable importance to protecting privacy.

"I am encouraged to see that companies are beginning to realize the importance of building privacy into their business processes," said Stoddart. "Smart businesses know that taking the time to build privacy in from the beginning is much easier than cleaning up a privacy breach down the road."

Other highlights of the poll include:

•Thirty-two per cent of businesses have staff that has had training on appropriate information practices and responsibilities under Canada's privacy laws.

•Forty-eight per cent of businesses have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly.

•Just over three-in-five businesses have a privacy policy.

•More than one-half (57 per cent) of companies that have a privacy policy update it at least once per year and of those that do, 35 per cent have notified their customers about the changes.

•Thirty-nine per cent of companies view protecting privacy as a competitive advantage, with 24 per cent seeing it as a significant advantage and 15 per cent a moderate advantage.

Latest stories