Paul Wing: Privacy's Northern Light

Paul Wing, former Scotiabank information security leader, says Canada and the United States need revamped privacy policies and practices

Apple's iTunes support service asks for not just unchanging personal identifiers but also information seemingly unrelated to the request. In one instance I was asked for my iPod serial number to get support for iTunes' store. There seems to be a real lack of logic around what information companies ask for sometimes. Why is that?

Sometimes the system is designed by a techie copying how someone else before them did it. Again, we have no best practices or standards. Other times it goes through marketing, and they want that personal information. Then there are customer service people who are not allowed discretion when they're authenticating you. They just have to go through their script. They have to insist on my date of birth even if it's irrelevant. And it's almost always irrelevant. The reality is we're not seeing governance to control that because the role of the chief privacy officer is not well established in most organizations.

Most CPOs are complaint investigators, as opposed to being involved in the governance policies around the capture and destruction of data.

What are the chances, though, that those marketing departments are going to voluntarily stop asking for all this minable data if customers don't raise a fuss?

I agree the marketing machine has the power right now. But when people do get burned, then they start to become believers. And right now, lots of people are getting burned.

Like the minister of privacy in Canada.

Besides the fact that Canada has a minister of privacy and a privacy office while the U.S. does not, talk about some of the other differences in terms of privacy.

North of the border we treat ID theft differently. We don't treat credit card theft as ID theft. If someone masquerades as me to apply for credit in my name, that's ID theft. I was in Dallas recently and they were talking about an ID theft scam, and eventually I figured out it was just fraudulent checks. So that's confusing sometimes. We have two privacy laws here. PIPEDA [the Personal Information Protection and Electronic Documents Act, pronounced PIP-eh-dah], which governs citizens' privacy rights, and the Privacy Act, which focuses on government agencies' responsibilities around privacy. I would say Canada is certainly looking more progressive right now than the U.S. Transborder data flows have become a big issue here.

Transborder data flows?

Data that crosses from Canada into the United States for storage or processing. We get questions now: Does my data go across the border to get processed? The answer is usually no, but sometimes it does in, say, a disaster recovery scenario. Companies trying to comply with PIPEDA were not comfortable with that because of the USA Patriot Act. They couldn't for sure guarantee compliance with PIPEDA if data were in the U.S. and the Patriot Act allowed access to that data without informing anyone. There's a lot of tension there. So service providers are realizing this cross-border thing is an issue to the point that they're looking at moving backup and disaster recovery back to Canada or Europe. Anywhere but