Canadian Privacy Commissioners Release TJX Investigation Report

Yesterday the Office of the Privacy Commissioner of Canada and the Office of the Information and Prrivacy Commissioner of Alberta released their “Report of an Investigation into the Security, Collection and Retention of Personal Information” concerning the TJX breach. The investigation was performed to determine if, and if so to what extent, the incident was a violation of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and/or the Personal Information Protection Act (PIPA).

I love reading these types of reports; they provide great lessons to organizations!
Much of the report describes why it is important to have protections in place for personally identifiable information (PII).
I like a passage on page 3:

“The lesson? One of the best safeguards a company can have is not to collect and retain unnecessary personal information. This case serves as a reminder to all organizations operating in Canada to carefully consider their purposes for collecting and retaining personal information and to safeguard accordingly.”

I see this all the time in most organizations.
1) Superfluous PII is collected, because it’s often easier to do so, and because some area in the company thinks the organization may need it “some day.”
2) There are very, very few organizations with a truly well-defined and consistently followed disposal process. Most organizations keep PII “forever”…meaning until the computer or storage media is no longer used. And then the data is typically not removed before selling the media or throwing it in the trash.
The report provides a great point-by-point description of the TJX breach.

“22. TJX informed us that the intruder may have gained entry into the system outside of two stores in Miami, Florida. TJX stated that it is of the view that the intruder used deletion technology that, to date, has made it impossible for TJX to determine the contents of most of the files created and downloaded by the intruder.”

Gee, the hacker probably tried to cover his/her tracks!? Imagine that!
But, it is a very good point and lesson to all organizations; if you know that someone has gained unauthorized access to your data files containing unencrypted PII, you CANNOT say with certainty that the data was not copied and given to others! Too many organizations make such publicized statements following breaches.
The only way an organization can say with any degree of confidence that PII was not obtained by the intruder is if the data was strongly encrypted and the intruder did not have the decryption key.
It is good to carefully read through the findings for the three primary issues identified by the Canadian privacy commissioners:

“‚Ä¢ Did the organization have a reasonable purpose for collecting the personal information affected by the breach?
• Did the organization retain the information in compliance with PIPEDA and PIPA?
‚Ä¢ Did the organization have in place reasonable safeguards to protect the personal information in its custody?”

If your organization had a breach, and these questions were asked of you, how could you respond?
This report can be used as a great case study for organizations in their information security and privacy training sessions, along with using the lessons learned within awareness communications.
Let’s look at some of the Canadian privacy commissioners’ findings.
For the question, “Did the organization have a reasonable purpose for collecting the personal information affected by the breach?” some of the findings that caught my eye included:

“41. The collection of the drivers‚Äô license information, however, is a different matter. In our view, we can draw an analogy between the collection of drivers‚Äô license numbers as numeric identifiers and the collection of the Social Insurance Number. The OPC and AB OIPC have stressed that a SIN is not a de facto identifier and should only be used for legislated, social benefit purposes, as was intended.
42. A driver’s license is proof that an individual is licensed to operate a motor vehicle; it is not an identifier for conducting analysis of shopping-return habits. Although licenses display a unique number that TJX can use for frequency analysis, the actual number is irrelevant to this purpose. TJX requires only a number‚Äîany number‚Äîthat can be consistently linked to an individual (and one that has more longevity and is more accurate than a name and telephone number).
43. Moreover, a driver’s license number is an extremely valuable piece of data to fraudsters and identity thieves intent on creating false identification with valid information. After drivers‚Äô license identity numbers have been compromised, they are difficult or impossible to change. For this reason, retailers and other organizations should ensure that they are not collecting identity information unless it is necessary for the transaction.”

Indeed. PII is often collected for reasons that, as stated, could be fulfilled in other ways.
This is an important point; too often organizations collect PII, such as the SIN in Canada or the Social Security number (SSN) in the U.S., for reasons that could be fulfilled using other types of information.
The purpose of SINs and SSNs were not to be individual identifiers for commerce, but unfortunately they have evolved (or devolved) to that assumed purpose, and that assumed purpose continues to be perpetuated.

“48. Lastly, we were not provided with evidence that customers were notified of the purpose of the collection of drivers‚Äô license numbers.”

How many organizations clearly provide notice of the reasons for which PII is collected? Does yours?
For the question, “Did the organization retain the information in compliance with the Acts?” some of the findings that caught my eye included:

“50. TJX reported that drivers‚Äô license and other identification numbers were retained indefinitely. As the intrusions took place over an extended period of time, the hackers were able to take full advantage of downloading information that should not have been retained.”

This links right back to point 2); PII is kept “forever.”
What are your organization’s retention policies? What processes exist to irreversibly delete PII no longer needed for business purposes?
For the question “Did the organization have in place reasonable safeguards to protect the personal information in its custody?” some of the findings that caught my eye included:

“76. We are of the opinion that ‚Äúreasonable security measures‚Äù compels organizations to consider the possible harm to individuals if the information were in the wrong hands. Principle 4.7.2 of PIPEDA explicitly recommends that organizations consider sensitivity when implementing security measures.
77. Given the nature of the personal information that was accessed by the intruders, the number of affected individuals, and the time that elapsed before the intrusion was detected, the harm caused could be quite serious. The perpetrator(s) had access to millions of credit card numbers for an extended period of time—long enough to commit credit-card fraud or to pass information on to others to do the same. While individuals who do notice unusual charges on their credit cards may not be responsible for the charges, the credit-card companies or merchants are. This could amount to significant losses to these organizations, not to mention the costs of replacing compromised credit cards.
78. Moreover, the breach exposes individuals to an increased level of anxiety. If their credit cards have been misused, they must deal with credit-reporting agencies to ensure that their credit rating is not affected. In some cases, this includes placing a true fraud alert on their files and requiring that they be vigilant concerning future financial statements.”

This is an important point that many organizations do not really, truly consider; the impact to the individuals impacted by a privacy breach. The time it takes from their lives, the dollars it takes from their bank accounts, to deal with a situation caused by an organization to whom they entrusted their PII…to whom they placed their trust.
Privacy breaches = lost trust = lost customers.
Organizations need to protect PII because it is the right and ethical thing to do. But if they want to have it put into financial terms, then this equation will make sense to CEOs.
Read the full report. Think about how the situation is similar to your organization. Think about how a similar breach would impact your organization.

Tags: , , , , , , , , , , ,

Leave a Reply