Everyone knows that it’s not a matter of if your private information will be breached. It’s a matter of when. I don’t have much of an expectation of privacy these days. A search in the Amazon application on my iPhone means that I’ll start seeing Facebook ads for that item. Google maintains a timeline of my visits to various locations. Video cameras are everywhere.
What I don’t expect is the leader of my country to defend a government agency known to have a long history of mishandling information when they ask my bank to hand over all of my personal banking history and personally identifiable information. Statistics Canada, our national statistics agency with a mandate that “ensures Canadians have the key information on Canada’s economy, society and environment that they require to function effectively as citizens and decision makers.”, has asked for the personal banking information of 500,000 Canadians to be released to them.
This means that 1 in 20 Canadians will have all of their banking information and personally identifiable information turned over to a government agency that has failed security audits. A report from earlier this month indicated that 50 percent of government agencies that accept credit card payments have failed to obtain PCI certification – including Statistics Canada, the agency asking for all our financial data.
For those unfamiliar, PCI is the Payment Card Industry. The PCI Security Standards Council (SSC) is a global entity dedicated to developing security standards related to account data protection. They have developed the PCI Data Security Standard (DSS) among others. The PCI SSC was founded by Visa, Mastercard, American Express, Discover Financial Services and JCB International. Anyone processing, storing or otherwise interacting with credit card data associated with these companies must adhere to the PCI DSS and undergo annual testing to ensure that they are maintaining adequate security.
The fact that 17 agencies, including Stats Canada, have failed should already be concerning, but that concern should increase when you realize that many consider PCI to be the minimum amount of effort that an organization should invest in security. The security of most of our financial institutions far exceeds the minimums put in place by PCI, yet one of these failing agencies wants to house the same information as our bank.
While I’m often the first to say that we have to expect our privacy to be breached, we still need to work to prevent avoidable breaches. Given the history of the agency, along with the sensitivity of this data, everyone needs to pay close attention to this moving forward. The results could be disastrous. It’s scary to think that an agency that has failed to meet the minimum requirements set out by credit card companies and has been in the press for mishandling private information feels they properly defend a database of our financial information from hackers.