Data Privacy And Unauthorized Non-Hackers: The Rise And Risk Of Accountability And Breach Notifications In Canada

Author:Mr Richard Bortnick
Profession:Cozen O'Connor

Originally published on CyberInquirer.

Recent unauthorized access to British Columbia Institute of Technology's computer network, which contained personal medical information of approximately 12,680 individuals, is yet another reminder of risks of exposure to data breaches. That none of the data on BCIT's computer network was compromised or misused is reflective of a low-profile non-hacker intrusion, and of the ease with which computer networks can be infiltrated. Indeed, a sophisticated hacker would know better than to leave massive amounts of data, rightly labeled by some as the "oil" of the 21st century, uncompromised. More curious than uncompromised data, however, is BCIT's notification in the absence of an actual data breach, and mandatory breach notification provisions under B.C. privacy law.

To analogize the recent unauthorized access to BCIT's computer server to a bricks and mortar scenario, consider an intrusion into a house whose front door was mistakenly left unlocked by its owner. An intruder enters the home, spends some time watching Life is Beautiful on a wide screen plasma TV mounted next to a collection of Rémy Martin Louis XIII (a pricy brand of cognac). After sometime, the intruder finally leaves with a generic white cardboard box. To the extent that the break-in on BCIT's computer network was designed to use its servers for downloading and uploading foreign films, leaving the medical information of 12,680 individuals uncompromised, the house burglary scenario is not too dissimilar with what occurred in the cyber world with BCIT's network.

We live in a global knowledge economy. Virtually every service industry sector (financial, insurance, legal, medical, publishing, educational, etc.) is heavily reliant upon information. As early as 1983, CEOs of large banks were labeling data as the new oil of modern day economies. The value of information is not the information itself but what it enables its controller to do on a larger scale. Consider this next example. In 1970, the U.S., through data gathered on a fleet of satellites, became aware of Brazil's coffee crop failure before Brazilians knew. Had Brazilians not become aware of their crop failure in time, foreign speculators would have bought up coffee futures...

To continue reading