Are you ready and willing to tell the world when your network is breached?

April 29, 2016|Ed Leavens

It looks like you may not have a choice.

The Canadian Digital Privacy Act of 2015 was written as an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA).

One of the biggest changes for Canadian corporations is a mandatory breach notification provision that is on the way to becoming a reality.  The Digital Privacy Act will define when organizations have to notify customers and partners of a breach involving personal information, when and what they have to be told, when and what the federal privacy commissioner has to be told, and the level of breach information organizations will have to keep track of. 

Read More

Data Protection Security via Your Swiss Army Knife

April 22, 2016|Ross Morley

Everybody loves a Swiss Army Knife. I certainly do, cherish mine, keep it clean and sharp and in my pocket every day. It's trusty, reliable, does exactly what I ask it to do and it's the quick, easy, ideal solution for so many things. There are lots of other solutions out there - niche, one-trick pony tools I could use - but why would I wear a jingling tool belt full of them as I go about my white-collar business every day? Nope, the Swiss Army Knife is exactly what I need.

Read More

Is your website vulnerable to privacy and security issues? Here is a fast and easy way to find out.

April 18, 2016|Ed Leavens


Secure Socket Layer, or “SSL” is a technology that encrypts a connection between your computer and a web server. It is a security measure at the transport layer, which prevents outsiders from seeing what is sent or received over a specific connection to a server. Think of SSL as taking a clear pane of glass, and then painting it so nobody can see what is inside.

Read More

Security vs Compliance

April 12, 2016|Ed Leavens

Don’t be fooled. Security and Compliance are not the same thing. They are not even close.

Compliance is commonly defined as “the act or process of doing what you have been asked or ordered to do: the act or process of complying”. Compliance tends to have what I like to call a check box mentality.

Read More

The Panama Papers.  A new kind of breach.

April 08, 2016|David Gamey

In the world of data breaches, it’s not often that we see something totally new. This last week we may just have had such a thing.  Most people are familiar with easily monetized breaches such as those involving credit cards and tax information. Occasional breaches of health information and privacy are also familiar. Rarer are the some of the large breaches like the politically motivated attack linked to North Korea on Sony Pictures, the Ashley Madison shutdown extortion, and the US Intelligence disclosures by Snowden and others. Even rarer are nation state attacks like StuxNet.

But the Panama Papers seem different. Breaches of Law firms aren’t unknown but they also aren’t that notable.

Read More

Prioritizing Privacy: The EU Approach

April 06, 2016|Dr. Wael Hassan, PhD.

Prioritizing Privacy: The EU Approach

Current data protection laws in Canada, like those in the US, are vertical (sector-specific). By contrast, the European Union and many of its constituent states follow a horizontal model. This allows for a more mature, integrated approach to the protection of personal information. With more data sharing across organizational boundaries, sector-specific laws are becoming increasingly difficult to apply, and many initiatives now require extensive consultation to establish relevant privacy obligations.

Read More

Use Case Spotlight - FAQs

April 04, 2016|Ed Leavens

FAQs from a customer conversation

We recently had a discussion with the data governance group at a Forbes Global 2000 company. They asked some very interesting questions.  We decided to share some of those questions, along with our answers.

Can DataStealth identify data in structured and unstructured data?

Yes. DataStealth can identify data in both structured and unstructured data. The identification can be configured to look at a single field, or can be configured to “look everywhere, in everything”.

Is it possible to treat the data differently in different levels of an environment?

Yes. Each environment (and system, consumer, etc.) can have its own data protection rules, or can share a set of rules. The data protection policies are configurable at a very granular level, and support sharing to ease setup and support.

Read More

Format Preserving Encryption

April 03, 2016|ControlGap

Format Preserving Encryption (FPE) is an encryption method that produces cryptograms that share many of the formatting characteristics of plain text and has a wide range of potential applications beyond PCI.  FPE can meet PCI requirements for strong encryption. In some implementations of FPE, the encrypted data can so closely resemble cardholder data, that it becomes indistinguishable from cardholder data.

The issue of indistinguishable vs. distinguishable data arises due to the specific formatting scheme implemented by the solution. It is perfectly feasible to honor enough formatting constraints (i.e. matching lengths first 6 digits, last 4 digits, and passing the Luhn test) to produce cryptograms that can be reasonably confused with PAN.  In fact, such solutions will occasionally produce collisions with real PAN which cannot be prevented.  Distinguishability can be achieved by relaxing any of the formatting constraints or adding additional markers provides suitable mechanisms.

Read More

Privacy needs a pull, not a push.

April 02, 2016|John Wunderlich

How many times have you seen headlines like this after a breach: “Anthem hack may push healthcare to boost security”? 

It may be good journalism, or at least attract eyeballs, but we all know that if disasters were going to push companies and health care organizations to pay more attention to security and privacy, we've had more than enough disasters.

Read More