FEATURED ARTICLE

FRONTLINE DEFENCE 2006: ISSUE 3

Transborder Data Flow Intruding on Privacy?

BY PETER HILLIER

Outsourcers have a responsibility to protect client data regardless of where it flows or is stored – as is certainly highlighted by a barrage of client data security breaches of late.

The time has past when transborder data flow had little or no legal implications. Even the Government of Canada’s Federal strategy, produced this year, concerns itself with the implications of America’s Patriot Act and Transborder Data Flow Contracts, and highlights the fact that outsourcing contracts must be written carefully in order to protect information that may transit the Canadian border through outsourcing. Notably, the Patriot Act would permit U.S. law enforcement officials the right to seek a court order allowing access to any record for the purpose of, but not limited to, an anti-terrorism investigation, without the data owner’s knowledge.

Gone too, are the days when the technical components of business operations concerned itself solely on costs, efficiencies, and similar service metrics. Advisors must be prepared to make security recommendation that will support and enable privacy. This is becoming quite difficult due to myriad of legislation that are evolving without any apparent consideration as to their individual impacts on the global economy and the operation of IT infrastructure, or the impacts to each other. Among these are, the Patriot Act (US), Lawful Access (Canada/US), Bill C-198, The Graham Leach Biley Act, Sarbanes Oxley, PIPEDA, and other like legislation.

U.S. Lawful Access legislation requires (as it will in Canada upon ratification by Parliament) Internet Service Providers (ISPs) to retain traffic data for significant periods of time in the event that it is needed for investigations by law enforcement and other three-letter agencies. In Canada, not only does the proposed legislation spell out requirements for data retention and surveillance powers, it actually reduces the privacy protection levels normally associated with it. As an example, one proposed scenario notes that ISPs would be required to provide information, with only a phone call, within 30 minutes on a 24/7 basis. No advanced warrant signed by a judge; no privacy! This is certainly more intrusive than anything the Patriot Act permits.

Bell Canada, for example, has recently introduced contract changes and, as recently as June 15th, notified customers that it retains the right to “monitor or investigate content or your use of your service provider’s networks and to disclose any information necessary to satisfy any laws, regulations or other governmental request.”

The Federal Privacy Commissioner, Jennifer Stoddart, notes in recent speaking engagements that PIPEDA, Canada’s personal privacy data law, needs more teeth. Yes, it does, but it also has to examine how to protect data with regard to its processing.

There is no convincing argument, regardless of how strong a contract might be, that would protect personal information from inspection, given that outsourcing contracts do not typically take into consideration the path the information would take to/from the outsourcer and the ability for ISPs in the middle of that path to inspect the data.

Privacy might be a fundamental right in Canada, but there is nothing that presently protects personal information leaving Canada’s borders from being flagged and tagged by US Authorities, including the National Security Agency, which apparently has already established contracts with the major ISPs to provide scanning activities for a fee.

As Treasury Board Secretariat points out in their strategy, privacy is about control – the right to control one’s personal information – and they were not surprised by recent surveys showing that transborder data flows are of concern to Canadians. A survey conducted by EKOS Research Associates Inc. for the Office of the Privacy Commissioner of Canada found that most Canadians expressed concern about personal information transferred across border.

While it’s true the Canadians have a shared responsibility to inform themselves as to the disposition of their ­personal information, it can also be a very onerous task given the extent to which personal information is shared among some of the sectors holding it.

Certainly a great deal of responsibility is delegated to the provinces and territories, who have an obligation to protect information within their control, but the private sector, too, must step up to the plate by adhering to the provisions of PIPEDA, or similar provincial legislation where it is available.

Most federal institutions have been using privacy and security clauses in contracting agreements to provide a variety of protective measures. Some of the more effective best practices include:

  • the segregation of personal information being handled under the contract from other records held by the contractor;
  • audit trails to closely monitor how information is handled;
  • the limiting of right-to-access, based upon specific user profiles;
  • approval by the government of any subcontracting;
  • the return or approved destruction of all records at the end of a contract;
  • the signing of non-disclosure agreements; and
  • the use of encryption technology allowing only government officials to view the decrypted data.

It is often stated that over 85% of Critical Infrastructure is controlled by the private sector. With that, comes the responsibility of protecting data.

The private sector is not in a position to gripe about the barriers to business that the legal complications of Transborder data flow imposes without providing the security infrastructure to support the operations. The old adage applies; “for every complex problem there is a solution!”

In addition to having security ­measures to Protect, Detect, Analyze, Respond and Recover from incidents, a number of institutions that have information technology contracts should limit the contractor’s access to data so they can only undertake testing or maintenance. Teeth are also necessary to ensure that outsourcing projects include all the mechanisms to properly secure the transmission of personal, and other, data.

There is some discussion about ­additional measures that would see the current practices expanded by:

Reviews in Advance of and During Contracting

  • The inclusion of an additional step in the solicitation checklist (used for every service contract) that asks for the review of direct and indirect risks involving personal and proprietary information;
  • Internal processes to review all new agreements, including the use of multi-disciplinary teams to review proposed contracting arrangements; and
  • The monitoring of all contracts where foreign companies have access to personal or other sensitive information.

Contract Clauses

  • The requirement that part or all of the work be completed within the institution (especially when health information is involved) or within Canada;
  • Ensure that personal information or other protected or classified information is shared with third parties only where warranted;
  • Consultation with legal services to ­include provisions that prevent disclosure under any foreign legislation for all contracts where personal or sensitive information will be exchanged or provided to third parties; and
  • Modification of contract forms to allow contract authorities to better assess risk.

Planning

  • The development of risk management approaches related to business and personal information to mitigate risks associated with foreign legislation, which will in turn be incorporated into the institution’s corporate risk management framework;
  • The amendment of training plans to increase department-wide awareness of risks; and
  • The exploration of technology solutions to protect information flows.

Contractual Advice
Guidance out of Europe has been available for some time that provides advice on developing Request for Proposals and contractual language on contracts with elevated privacy risk that will mitigate potential disclosure to foreign governments. Some excellent advice is provided in the the Organization for Economic Co-operation and Development’s September 2000 document entitled “Transborder Data Flow Contracts in the Wider Framework of Mechanisms for Privacy Protection on Global Networks.”

Before such sample clauses are used, changed or adapted, institutions should consult their own legal services and privacy officials to ensure the clauses are properly used and are not in conflict with obligations under existing international agreements.

Personal Protection Data Laws (Council of Europe No. 108, for example) made the gathering, storage, processing and transmission of personal data subject to certain universal rules, such as:

  • The data must be collected in a “fair” manner (i.e., not through deceptive or illegal means);
  • The data can only be used for the purpose for which it was collected, and only for the time reasonably necessary;
  • Persons are entitled to receive a report, on request, on what data has been ­collected about them by a particular company or government agency;
  • One’s personal data cannot be disclosed to third parties unless authorized by statute or the individual has given consent (although the consent can sometimes be implied);
  • Persons have the right to make corrections to their personal data and, in some cases, to have it deleted, or to have disputed data “flagged” as such;
  • The transmission of personal data to locations where “equivalent” personal data protection cannot be assured is prohibited.

Equivalent protection can only be ­provided when the sender enters into a written agreement with the (foreign government) recipient, whereby the recipient affirmatively agrees to abide by the data processing policies of the sender, perhaps those comparable to CoE 108. The task of obtaining the consent of all affected customers may be the only suitable baseline for Transborder data flow, but it is most certainly going to be cheaper to do up front rather than post facto, when a breach is highlighted in the press.

___
Peter J.Hillier is an IT Security practitioner in Ottawa. A Certified Information Systems Security Professional, Peter is also the founder and past President of the Ottawa Chapter of the High Technology Crime Investigation Association. He can be reached at pjhillier@gmail.com.

The Federal Strategy of the Government of Canada is available on the Treasury Board of Canada Secretariat Web site at:
www.tbs-sct.gc.ca

Find the Transborder Data Flow document at: http://www.olis.oecd.org/olis/1999doc.nsf/LinkTo/dsti-iccp-reg(99)15-final
© FrontLine Security 2006

© 2006 FrontLine Security (Vol 1, No 3)