Canadian businesses are storing more and more personal information digitally, but many are not using the technological tools or implementing the recommended practices to protect this information, a new survey has found. In light of these findings, the Privacy Commissioner of Canada reminds businesses that when using technology to safeguard personal information, sometimes small steps can prevent a big loss.
In a telephone survey of 1,006 companies across Canada, commissioned by the Office of the Privacy Commissioner of Canada (OPC) and published today, companies are storing personal information on a variety of digital devices:
- desktop computers – 55%
- servers – 47%
- portable devices – 23%
Most (73%) are using some type of technological tool, such as passwords, encryption or firewalls, to prevent unauthorized access to the personal information stored on these devices.
However, the survey also suggested that many businesses may not be adequately using technology when it comes to protecting the personal information they store digitally.
For example, passwords are the most popular technological tool used by businesses to protect personal information (96%). However, of those using passwords, 39% do not have controls in place to ensure that those passwords are difficult to guess, and 27% never require employees to change passwords.
“Using passwords is like locking your front door. They can be a very simple and effective way to protect valuable personal information,” says Commissioner Stoddart. “But simply setting a password is not enough to thwart today’s savvy online criminals—passwords must to be complex and dynamic.”
The poll, conducted in late November and early December 2011 by Phoenix Strategic Perspectives, also found that nearly one quarter of businesses are storing personal information on portable devices, such as laptops, USB sticks or tablets, which are more vulnerable to theft and loss. Nevertheless, almost half of those who do (48%) indicated that they did not use encryption to protect the information on these devices. Encryption refers to the use of a secret code as a key to scramble information to make it unreadable. Once the information is scrambled, only the same key can be used to unscramble the information and make it readable again.
“Encryption is one step better than locking your doors— it is like putting information into a safe—and it can really help limit the risks if a laptop is stolen or a USB key is misplaced,” says Commissioner Stoddart. “Businesses that lose their customers’ data, lose their customers’ trust, so they need to take every precaution to ensure they safeguard personal information they hold.”
The survey did find that many Canadian companies attribute considerable importance to protecting privacy (77%).
“I am encouraged to see that companies are beginning to realize the importance of building privacy into their business processes,” said Commissioner Stoddart. “Smart businesses know that taking the time to build privacy in from the beginning is much easier than cleaning up a privacy breach down the road.”
In fact, survey responses seem to suggest that companies are becoming more sensitive to the potential for data breaches. Only 40%, however, indicated that they were concerned about data breaches that might compromise the personal information of their customers and 31% indicated that they have guidelines in place for responding in the event of a breach.
Other highlights of the poll include:
- One third (32%) of businesses have staff that has had training on appropriate information practices and responsibilities under Canada’s privacy laws.
- Almost half (48%) of businesses have procedures in place for dealing with complaints from customers who feel that their information has been handled improperly.
- Many companies (39%) view protecting privacy as a competitive advantage, with 24% seeing it as a significant advantage and 15% a moderate advantage.
The OPC commissioned the survey in order to better understand the extent to which businesses are familiar with privacy issues and requirements, and the types of privacy policies and practices they have in place. Similar surveys were conducted in 2010 and 2007. The survey is considered to be accurate to within +/- 3.1%, 19 times out of 20.