Protecting your digital information: An ounce of prevention is preferable to a pound of cure

By Greg Murdoch

The transmission and storage of messages, sensitive documents and data has become routine for many companies. Construction companies routinely send information back and forth between employees/colleagues, clients, and subcontractors using email. Businesses also maintain and store information and move it about in other formats such as USB keys and CDs. Some of this information is highly sensitive for personal and/or business reasons.

The pervasive use of technology to transmit and store information introduces a wide variety of risks to your business. These include legal/regulatory risks and competitive risks.

One legal risk of particular concern to companies is the release of confidential client information.  Aside from the harm to a business reputation and damage to client relations which may result a negligent company could be responsible for civil damages if their client suffers harm as the result of the unauthorized release of their confidential information.

The release of personal information of either employees or clients is also a matter of concern.  The Personal Information Protection and Electronic Documents Act regulates the collection and use of personal information.   Any company that collects personal information must take appropriate measures to safeguard this information including appointing a specific individual to oversee the management of personal information.  Companies must take adequate steps to safeguard personal information.   The Federal Court of Canada has authority to award damages to complainants for the unauthorized release of personal information.

Inadequate safeguards on your stored data can put your business at a competitive disadvantage. Commercial espionage while exotic sounding is real.   The release of confidential information such as pricing strategies to a competitor can have obvious negative consequences

There are relatively easy and inexpensive safeguards which can be implemented to protect your data.

In general, always be aware of what you’re doing with your information. Never assume any device or storage method is secure by default because it probably is not.

It is important to secure any over-the-air transmissions.  Never use unencrypted wi-fi as this exposes transmissions to interception. Always be sure that you are on an encrypted network before transmitting.

Avoid the use of Bluetooth accessories (e.g. headsets, keyboards) in areas where an eavesdropper could easily connect to them.  When using cell phone networks ensure that the wi-fi function on your device is turned off entirely.

Employees should be instructed that if they work from home they must use strong password protection (WPA2 or higher). In the workplace access to networks must be controlled and passwords should be changed regularly. Employee passwords should be kept track of so that they can be revoked or changed if they leave the business.

For storage of data on external drives such as USB it is important to maintain passwords and an appropriate chain of control.   Common sense dictates that businesses are aware of and control the use of media storage devise.

In order to ensure data is secured the following actions are recommended:  Use password protection on files where possible;   Use password/passcode protection on mobile devices, Ensure that laptops that go into public places / sites have multiple levels of password protection – consider encrypting hard drives,

It is also important to be aware of external risks such as malware and phishing.

In summary, it is better to take proactive steps to protect your information, in order  to prevent it from reaching unauthorized parties than it is to be subjected to legal/regulatory actions or the resulting damage to reputation and business relations.

* * This article is intended only to inform and educate. It is not legal advice.  Be sure to contact a lawyer to obtain legal advice on any specific matter. This article was originally published in the March/April 2015 Issue of the Grand River Construction Authority Journal.