As technology continues to advance, it is important that security measures implemented by companies keep pace to protect against possible threats and exposure to cyber liability. Statistics show that as of 2015, companies were simply not investing enough into their security systems. Information security budgets have declined steeply among organizations. On average in 2015, there was:
- A 25% decrease in the budget for information security for organizations in the aerospace and defense sector;
- A 21% decrease in the budget for organizations in the technology sector;
- A 16% decrease in the budget for organizations in the automotive sector; and,
- A 15% decrease in the budget for organizations in the retail and consumer products sector. [1]
To stay up-to-date with their security practices, organizations need to continue to invest in their information security. This includes investment in people, processes and technologies. With cuts to security budgets, companies often redirect all of their focus towards preventing breaches by outside parties, often forgetting about the threats that their own employees and third party vendors present. This demonstrates a lack of understanding that proper training and management of employees and third party vendors is a vital component of an effective information security system.
Third party vendors present a significant concern to the security of organizations as they generally have access to private and confidential information. While companies protect the confidential information to outside sources, the same safeguards are not in place once the information is in the third party vendor's hands. A staggering statistic in a recent study found that only 50% of respondents stated performed risk assessments on third party vendors. [2] This same study found that only 54% of respondents had a formal policy in place requiring third party vendors to comply with their privacy policies. [3]
The severity of a breach of confidential information by an employee or a third party vendor has become a prominent issue in several recent lawsuits. For instance, a group of Mounties filed a class action lawsuit against the RCMP and alleged that their medical records had been shared outside of the organization without consent. Specifically, the RCMP had disclosed the Mounties' complete, un-redacted, confidential, and private psychological counselling records, without consent. [4] Of note, this case is different from a typical breach of privacy case because it appears that the information was disclosed by the employer voluntarily, rather than through a vulnerable security system.
Still, this case highlights the importance of investing in effective security systems to protect data. In addition, it underscores the importance of training employees so that they are aware of what constitutes private information and the ramifications of sharing that information without consent. Regardless of how much money a company invests into processes and technologies, security practices will not be effective without the proper investment in people, as they are the ones who have access to the confidential information.
Another example is the recent class action commenced against TD Auto Finance Services Inc., for the loss of customers' personal information. [5] A data tape that contained the personal information of approximately 239,277 customers was lost when the Defendant sent the data tape through UPS, only noting a declared value of $5.00 on the package. The employee (who opted to send the package through UPS without taking additional measures to protect the package or alert UPS to the value of the contents in the package) was clearly operating under the pretense that TD Auto Finance Services Inc. favoured saving money through a reduction in shipping costs over protecting the personal information collected from its customers. This significant breach of confidential information again demonstrates the importance of proper training of employees and the devastating results that can occur when expense reduction is given priority over protecting confidential information.
In summary, companies need to continue to direct significant resources towards information security, recognizing all that information security entails. Companies should not lose sight of the importance of investing in their people, including their employees and any third party vendors, to protect against potential cyber liability and privacy breaches.
[1] "Key findings from The Global State of Information Security Survey 2015" (30 Sept 2014), online: Price Waterhouse Cooper http://www.pwc.com/gsiss2015 at 21.
[2] "Key findings from The Global State of Information Security Survey 2015" (30 Sept 2014), online: Price Waterhouse Cooper http://www.pwc.com/gsiss2015 at 25.
[3] "Key findings from The Global State of Information Security Survey 2015" (30 Sept 2014), online: Price Waterhouse Cooper at 25.
[4] "Five Mounties sue RCMP in alleged medical privacy breach" (18 Feb 2016), online: http://globalnews.ca/news/2525386/five-mounties-sue-rcmp-in-alleged-medical-privacy-breach/
[5] "Class action launched against auto lender for data breach" (22 Feb 2016), online: http://www.autoremarketing.com/arcanada/class-action-launched-against-auto-lender-data-breach
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
