Did you know that the chances of a business having a privacy breach of any size is 80%? We estimate that 80% of small to medium sized business in the next 5 years are going to be affected by a significant privacy breach. And of those that do have a data privacy breach, 60% of them will close their doors in 6 months because of it.
As businesses, we’re often in charge of collecting key information about our customers so we can serve them better, and it is so important that we treat the information that we give and collect with tact, consideration, and a great deal of discretion so that we can protect our privacy and our customers information privacy as well.80% of businesses will experience a privacy breach...and 60% of those will close their doors because of it! Be #PrivacyAware https://youtu.be/Z_dgjEmwzlU Click To Tweet
In this first episode of Talk Shop Interviews, I’m joined by information privacy expert Jean Eaton, who will help you learn how to protect your business or company from the very real possibility of a data privacy breach. Watch the full interview – Jean’s set up a bonus for you at the end!
Prefer to read than watch? Scroll down for the full interview transcript.
Be sure to click “like” on the video and subscribe to my YouTube channel – more great videos are coming your way!
Data Privacy Day is January 28 – follow along with #PrivacyAware
Lauren Sergy: Welcome to Talk Shop: the place where you can learn from industry experts how to become a better communicator in your work and your life. For this inaugural episode, we’re going to be casting back to a big story in 2017 which was the Equifax information breach where Equifax – a collector of financial information for millions and millions of people – actually lost the privacy of a large portion of their customers, a large portion of their clients, and peoples financial information became seriously compromised through an online security breach. As businesses, we’re often in charge of also collecting really important key information about our customers so we can serve them better, but it is so important that we treat the information that we give, and that we collect, with tact, with consideration, and yes, with a great deal of discretion so that we can protect our privacy and our customers information privacy as well.
And to talk about this today, I am very happy to have with us Jean Eaton. Not just A practical privacy coach, but THE practical privacy coach. Jean Eaton is the owner of Information Managers , and she is constructively obsessed about privacy, confidentiality, and security when it comes to the handling of personal information. Jean is passionate about supporting businesses to implement privacy through their design and their best practices so they can protect the privacy, confidentiality, and security of the personal information of their clients, of their employers, and of their businesses overall. Be sure to stick around to the end of the episode because Jean has some great resources available to you to help you start better protecting your customers information today.
Welcome to the show and thank you so much, Jean, for being here today. You really are the cream of the crop in terms of discussing information privacy which is something that I am taking more and more seriously, especially since that massive Equifax breach. Can you tell us a little bit about what your thoughts are in terms of that breach because that was huge!
Jean Eaton: It was huge, and it affected many people in many different countries, and the big part of that that really gets my goat, is that with Equifax breached, they’re a big company, they’ve got a big IT team, and their IT team ignored what they should’ve been following, and so we knew in the IT community, and I’m not an IT geek person, so, you know, this is what people are telling me, is that we knew there was a problem in this particular type of servers. So you get emails and you see things in the news saying that, you know, there’s been a weakness found over here, or that there’s a new patch that’s been over here. Well, they’ve had computer servers called Apache, and there’s been a weakness in it, and they didn’t fix it. And that was the problem, they’ve got this huge IT team. This is all about their business, and they didn’t fix it. Not only did they not fox it, they found out that they hadn’t fixed it, realized that they had a breach, didn’t deal with it and, again, they didn’t fix it, and then they had another hack. So, you know, it boggles my mind, we’ve got hundreds of thousands of people that have been affected by it, and so what do you do when you’ve got a privacy breach? You report it to the credit card monitoring companies. What if the credit card company is the person that has the breach? It just creates all sorts of problems.
Lauren Sergy: It really does boggle the mind, especially considering the huge scope of customers that they have, I mean they are multinational, they are one of the biggest financial information companies out there, and yet something like this happened. So, you have an outstanding blog article on the Equifax breach, which I am going to link to in the description down below. Be sure, listeners, that you check out this article; it’s really quite something and it’ll give you some deep insight in terms of what a major consideration this is when it comes to our information, when it comes to communicating what we want to communicate about ourselves specifically, but keeping those communications safe, too. So, this happened to Equifax, which is a huge company. But realistically, for small and medium-sized business, people who aren’t dealing with this volume of customer information and this volume of communication as well, how big of an issue is information privacy?
Jean Eaton: Well, the funny part about it is that, yes this is a big company and they have a lot of volume, but the same type if a privacy breach can happen in your own small business, and it doesn’t matter how many people are affected. Whether or not it is one or thousands of people, it is important to the person that is affected. And you have to go through all of the same steps to respond to that privacy breach, and to put it into perspective. So, if you had a privacy breach and it affected your company, it affected your customers, the people that you’re working with, or maybe it affected your employees, you’re going to drop everything and cope with that. You hope, right. And so the chances of having a privacy breach of any size is 80%, we estimate that 80% of small to medium sized business in the next 5 years are going to be affected by a significant privacy breach. And so when they drop everything to deal with that, they’re not doing their business. And they have to get extra people to come in, they’ve got a bad reputation, all those things that are happening, and so what happens? You’re not dealing with your business. And so with those businesses, 80% of them that have a privacy breach, 60% of them will close their doors in 6 months because of the breach.
Lauren Sergy: That’s terrifying!
Jean Eaton: It’s terrifying, this is big stuff, you have to pay attention to it. And so they close their businesses because they spend so much time responding to that privacy breach, they spend all of this time and resources and money and they’re not getting their business done, and now they’ve got all these other things about bad reputation, and they’re dealing with the breach instead of dealing with their business. It’s not business as usual anymore.
Lauren Sergy: In terms of dealing with these breaches and handling them, I mean like, how difficult can it be really to deal with this because frankly, it seems like Equifax just said “Mea culpa!” and then went on their merry way with our information and nothing really happened to them, and so is that because they are a big company that it seemed like nothing much seemed to happen to them, or is there something special about small or medium businesses that causes this issue where 60% of them start to go out of business?
Well, Equifax is not out of the woods. They’ve got a number of substantial losses: class action lawsuits that have been filed against Equifax and this is something that we’re going to continue to hear about for a number of years. Now, Equifax is in a unique situation that they are not in today. Because there are new privacy legislation that took effect in January of 2018, the JDRP which is International privacy legislation, if this breach had happened today they would have faced sanctions in a different sort. So, I believe the JDRP rules are saying that a breach of this type would have 10% fine automatically assigned to that Equifax for all of the revenue multinationally. So that becomes huge. And they’re still going to deal with the lawsuits and all of that so just think.
But these things happen to small businesses, too. So depending on where you are, what type of industry you’re in, or what type of legislation you need to deal with, you need to deal potentially with lawsuits, you’re going to deal with fines and sanctions from regulators, and that might be the privacy commissioner’s office that will help to administer the health information act or breaches to FOIP or the Canadian Charter Freedoms Act. There was a breach last in 2016 that was in Brampton that was in one of the family child services organizations and they had a breach and the interesting part about this is that they had information that they had in their website, the secure website that their staff and their employees and volunteers would log into the website and enter a name and password and would download the resources they need for the next meeting. The files they needed for the next meeting had confidential information on them, but somebody messed up on their website server, so then you log in and you would get their information, and you download it, somebody didn’t make sure that that didn’t happen and so they put it on a public facing side of their website, and so they didn’t advertise it, but somebody in the public stumbled across it, and they found the case list of all of these families that were in crisis. So, this is something that can happen to all of us. They didn’t intend on doing that, it was an oops. That public person – that good Samaritan – tried to let that organization know that they made a mistake and “I can access this information, I don’t think I should.” They didn’t fix it.
Lauren Sergy: They knew and they chose not to fix it.
Jean Eaton: They chose not to fix it. But they also didn’t communicate with that good Samaritan who tried to tell them that they had a problem. So the good Samaritan tried again, tell them they had a problem, didn’t fix it. So she got really frustrated, and posted the names on Facebook. Now, she shouldn’t have done that. Now what’s happened is that there is now a lawsuit against this under the Canadian Charter of Rights and Freedoms, so it can be a very small number of people, it can be a relatively small organization, but there’s legislation that’s going to get out there for you. Now the American population tends to be much more litigious than the Canadian population, but that’s changed.
Lauren Sergy: Yeah, we’re catching up?
Jean Eaton: Doesn’t make me necessarily happy, but it’s out there. Not only are you going to be in violation of different privacy legislation, you are going to get into problems with lawsuits as well.
Lauren Sergy: Now for our American viewers, there’s going to be information privacy legislation on your end that doesn’t apply to the Canadian context and vice versa, but for our Canadian users, could you explain a couple of the acronyms that we might come up against. One that I’m thinking of is one you mentioned: FOIP. And the other one I’m thinking of, I know we’ve discussed this before is PIPEDA.
Jean Eaton: PIPA and PIPEDA. So there are federal legislation and then there are provincial legislation and then there are industry specific legislation. Generally speaking, if you have a business you are running that is some sort of government department – if you are town hall, if you are a health region, if you are a library that’s getting funded by tax dollars – those organizations probably have to comply with FOIP, or PIPEDA, most frequently.
Lauren Sergy: What do those acronyms stand for? I’m getting ahead of you. That’s the librarian coming out. “Tell me what the acronyms mean!”
Jean Eaton: Freedom of information and privacy protection. Okay, so there’s FOIP
FOIPA. Freedom of information and privacy protection act. And I get the acronyms a little messed up, so forgive me if I don’t get it quite right.
PIPEDA is the personal information and privacy electronic documents act, and that’s a federal legislation. Now most or many businesses have to comply with PIPEDA because it talks about having electronic information. So if you’re collecting information off of a website, or you’re sharing information In that way, you might need to comply with PIPEDA information. Generally speaking, if you are a business that’s funded by tax dollars, you’re some kind of government umbrella, you’re probably going to need to comply with FOIP. If you’re a small business that is not getting government dollars, then it is not FOIP, it is other legislations, you will probably have to comply with provincial legislation.
So in Alberta and many other provinces, they have legislation for PIPA – personal information and protection act – many other provinces have the same legislation name, pretty darn close, it changes a little bit from province to province. You might have specific legislation for your industry. So in healthcare in Alberta, we have health information act, in Ontario it’s called Personal health information protection act, so many of the other provinces other than Alberta now have privacy specific legislation specific to healthcare, but all of the provinces have legislation that talks about the privacy of personal information, and the general sound like a PIPA type of legislation.
Lauren Sergy: Okay, and that’s really important, for those among us who are business owners to understand to make sure when we are gathering data and we’re holding data about our customers that we’re able to keep up with whatever legislation applies to us, but also as a consumer angle because we’re asked to share so much information about ourselves online from a day to day basis that I want to know what kind of protections I have. Go ahead, Jean.
Jean Eaton: Generally speaking, every organization needs to have a privacy officer. So if you are a small business owner, you should have a privacy officer in your organization. If you are a consumer, if you are concerned about how your library is managing your information, or town hall, or the accountant that you use, you need to go and talk to that business, and talk to the privacy officer, you don’t need to know the name and whether it’s Mary or Sam or Joe, you just need to talk to their privacy officer. If they don’t have a privacy officer, if you’re not getting the response that you think is appropriate for your question then every province in Alberta has a privacy commissioners office. So if you have a concern, go to the privacy officer of the business that you’re concerned about, if you’re not getting the proper response, go to the privacy commissioner. It’s not a government department, it’s an agent of the legislative assembly. There is always someone you can go to.
Lauren Sergy: Regarding privacy breaches, that example regarding the family cases that you mentioned and then good Samaritan on Facebook who reported it, that’s a super interesting story. Do you have any other favourite stories regarding privacy breaches that you can share with us?
Jean Eaton: You know sometimes it’s bad luck, and I work with the organizations in healthcare primarily, so in healthcare we have good practices in place and many of the offices have a shredding machine or they have a very big bin that they collect all of their information that needs to be shredded and they have a third party vendor who comes in and takes a big bag of shredding and puts it into their trunk and in the parking lot and it all gets shredded. Well, I had a client that did that. Good organization, good practices in place. Great big shredding bin sitting in the offices, and the guy came in and picked up the great big bag of shredding for the month, and as he’s going outside, there’s a great big windstorm that comes rushing in, and that great big bag gets torn on the door and all of the papers are flying all over the city.
Lauren Sergy: No! That sounds like it’s out of a comic book, or a sitcom or something.
Jean Eaton: Who would’ve thought, right? So, this is a business that has good practices in place. They were doing the right things, and they just had a bad-luck-day. What they did have In place was a strategy to deal with that privacy breach. They weren’t scrambling too much on the day of that privacy breach. They knew they had a problem, they had steps in place so that they knew how to respond to it. Sometimes we’re just a victim of bad luck and you think about all those reasonable safeguards to help to prevent that from happening, but if the bad thing does happen, do you have the steps in place so that you can respond to it. That’s what our responsibility is as a business.
Lauren Sergy: So, that leads in beautifully to one of the key questions here. What are some tips that you can gives u that can help us protect our businesses today? I’m a one woman shop. If something like this was to happen to me, I know this would be quit devastating. I know that’s the case for many other business owners I know, many employees I know who work in small/medium even large companies. What are some practical things we can do that can help us protect our customers information.
Jean Eaton: Well, there’s a lot of things we can do, but don’t get overwhelmed with a lot of things. There are 3 big tips that I wanted to share with you today.
Lauren Sergy: So I don’t have to breathe into a paper bag yet? Okay, good.
Jean Eaton: No, not yet. You’re good. Okay. So, the first thing is be very limited about the information that you collect. Collect the least amount of information that you need. Think about going for a walk. Think about what you would put in your wallet. You’re not going too put 20,000 dollars in your pocket for a walk through the woods. Do the same thing with the amount of information that you collect. Collect only what you need to have because that’s what you need to protect. Instead of having to have a big pocket you need to protect, keep it nice and tight and make sure you have a need for using it.
That’s the second tip: Only collect the information that you need to use and then use that information for the purpose that you said you were going to use it. So follow your promises to the people that you’re sharing the information with, or that you collected from. Think: many of our businesses have employees, collect the employees information to make sure that they get paid so they want to give you information cause they want to get paid, you want to collect, but you don’t necessarily need to keep, for example, all the resumes that you’ve gathered for a job posting, once that job posting is done, you’ve hired the people that you’re going to hire, perhaps a little bit of time, whatever’s a reasonable amount of time, maybe that 6 months, after that 6 months periods, you’re not going to go back and use those resumes again, then securely destroy them. So use that information for the purpose that you said you would. If you collected all those resumes for a job posting, that doesn’t mean that you can scrape the email addresses off of them to then send them an email for marketing for your big promotion, you collected it for once purpose don’t use it for another purpose.
And the third part is: respect the information that you’ve collect and respect the people that you’ve collected it from. You want to respect It and keep it secure. Know that you’ve got important information, acknowledge you’ve got important information. Don’t start tweaking things, don’t start sharing it around the edges. If you collected it for a purpose, use it for that purpose, and make sure you keep it safe and secure. “What we thought we had is a good solution on our servers before and now and now you here there is a vulnerability.” You need to do the updates, you need to do the patches, you need to continue to keep that information safe and secure.
Those would be my 3 big tips to get started with. There’s always more, but start there. Getting started is better than doing nothing.
Lauren Sergy: Right. So you’ve helped create some resources for the people watching this interview to get started. What is this resource and how can they access it?
Jean Eaton: Okay. So I have for you 10 key steps for how to help prevent privacy breach. So you can get that off of my website you can download through Talk Shop – informationmanagers.ca/Talk-Shop – there is an email address that you’ll need to enter and then you’ll get the access to the 10 key steps to prevent privacy breach, so that’s a place to get you started. There are some key steps on how to collect, use, and disclose information and make sure that you’ve got a privacy officer. That will help you get started on your journey to make sure you are reviewing your best practices in place, and making sure you’re getting ready for the next step in your journey.
Lauren Sergy: So, this is a really critical for our businesses, in fact it’s so important and its such an issue now that there’s a whole day. There’s a day dedicated to everything, but I feel this is really important. What can you tell us, Jean, about January 28th: Data privacy day?
Jean Eaton: Data privacy day is an international effort to make sure that people are aware about privacy breaches and have respect for privacy. It promotes safeguard of data, and helps organizations to enable trust. As a business, you have a business advantage. If you can make sure that you are reassuring your customers and clients that you can trust us, we’re going to look after your information. We know that your information is important, it’s important to us too. These are the steps that we’re putting into place to protect your information. So don’t be afraid to talk about privacy to your clients, to your employees. They need to know that you think it is important, and you need to have that conversation to show them what it is you’re doing to protect their information so that they’re going to think “Wow, I feel pretty good, this is a safe secure place and I’m going to do business with these people.” That’s a business advantage. “I trust you.”
NOTE: You can follow Data Privacy Day with #PrivacyAware
Lauren Sergy: “I trust you.” That’s so big, and an increasingly rare thing it seems now of days. Yes, January 28th is Data Privacy Day, but this is a year round thing. There is no day off from good privacy practice and from managing the information that we collect that we share, all of the information about ourselves that floats around out there. Like I said, you are the expert, the maven of information privacy practice. How can people find more about you?
Jean Eaton: Go to my website, informationmanagers.ca, we’ve got a free download there, and when you get that free download you’ll have the access to our privacy nuggets news letter and all sorts of resources there. So see me on informationmanagers.ca.
Lauren Sergy: And before we close off, do you have any parting tips for us regarding information management?
Jean Eaton: I think the biggest thing is don’t be afraid. It’s a big world out there, and start with little steps at a time. Make sure that you’re connecting least amount of information on need to know basis and use information the way you said that you were going to. Go back an review that information. One of the biggest things that we fall back on is that we’re really excited about the projects that we’re working on today, but don’t forget about the last project. Don’t forget what you did before, you have to keep that top of mind. When you get the systems in place, then it makes it easier to go forward and to be part of your privacy. Every time you talk about a new project, design privacy into the project at the beginning is far better than trying to fix it at the end.
Lauren Sergy: That’s outstanding. Thank you so much for all of these tips, Jean, these are really helpful. Really, really insightful. Thank you everyone out there who has been through this interview with us. If you found this useful, make sure you click that thumbs up, like this video, share it with your friends and colleague. It’s very important information, be sure you subscribe to this channel so you can stay up to date on all future interviews on Talk Shop. Thank you so much for being with us here. My name is Lauren Sergy. Here with us today, again, is Jean Eaton, from information managers. Informationmanagers.ca. And I Look forward to seeing everyone here again on the next edition here on Talk Shop. Buh-bye.
Jean Eaton: Bye!