When news broke recently that the Swedish Data Protection Authority fined a local municipality more than USD $20,000 for privacy violations, it marked the emergence of a potential new front in the struggle to balance privacy rights and security requirements.
Under the European Union’s General Data Protection Regulation (GDPR)—sweeping legislation that governs everything from website tracking to data collection practices across the 28-member European Union and European Economic Area—the use of data gathered with the help of facial recognition and biometric software is restricted and tightly controlled by. Apparently, a school board in Sweden didn’t get the memo and used facial recognition software to track high school student attendance over a three-week trial period intended to test out new technology.
The school board saw the tracking software as a more efficient use of teachers’ classroom time. According to media reports, attendance-conscious educators had apparently been devoting about 17,000 hours a year to keeping tabs on their pupils. The SDPA saw the matter differently and issued a significant fine, a first for Sweden.
Tech as a cyber security tool, but to what end?
The European Union has taken the lead in legislating to secure privacy rights and protect citizens, just as authorities in other regions have turned to cutting-edge new technology designed to enhance protection measures for the general public. In the wake of recent shootings in Toronto, for example, the city’s community housing agency has announced plans to increase video surveillance in at-risk neighbourhoods, all to help deter crime and aid police enforcement efforts. In the United Kingdom, cities such as London have long relied on street-level surveillance to maintain safety. The U.S. government has been using biometric technology, including the fingerprinting of foreign visitors, at border crossings for years.
The challenge that arises, of course, is when governments abuse these tools. China has faced widespread criticism for its use of facial recognition and data collection programs in its western provinces to track the local Uyghur community. In other parts of the country, Beijing actively uses technology to help silence or monitor anti-government voices. Many liken the tactics to an Orwellian invasion of privacy, an effort to enforce government-sanctioned values on an unassuming populace.
If a school board in Sweden uses facial recognition technology to track students, some argue, it’s not far-fetched to expect a more widespread application of that software across society. In the hands of a trusted few, there isn’t much concern. But what happens if those individuals can no longer be trusted?
Legal systems adapting to new technology
The reality is the use of technology as a protective tool is hardly novel and, in most cases, isn’t nearly as sinister as some may contend. The big question, as with the example from Sweden, is to what degree governments will tolerate its use. Authorities in Canada are beginning to weigh in on the safety and security vs. privacy debate.
In Ontario, for example, a labour arbitrator recently ruled in Teamsters Local Union No. 230 v Innocon Inc., that a concrete delivery company (Innocon) had the right to install cameras in its trucks to help improve driver safety and highlight potential driver misconduct by recording a driver’s actions, but only in the event that the vehicle swerved unexpectedly or took some form of evasive action that could indicate erroneous or erratic driving. In the arbitrator’s view, some level of in-cab monitoring was justified because an employer’s business interests can supersede an employee’s right to privacy under specific circumstances.
Cyber security strategies for business
Business owners should be aware that at any point, our legal landscape could shift and new laws could limit the use of biometric or facial technology when used in public spaces or workplaces. But I predict that governments will take a measured approach to balance privacy and security concerns. It’s likely that we will see a tightening of privacy restrictions in Ontario and across Canada at some point. In the meantime, however, your focus should be on assessing your organization’s security vulnerabilities and taking an integrated approach to protecting your people and assets.
That means reviewing the plethora of tech tools available on the market and deciding which ones make sense for your organization based on its operational needs. Facial recognition technology may make sense for a retailer with several busy locations, for example, but could provide little benefit to a software development firm with much simpler security needs. Be prepared to customize your strategy and invest in security components that will make a decided impact in helping mitigate risk and advancing your organization’s strategic goals (e.g., not being robbed, having your data held hostage, or seeing your commercial property or workplace invaded).
But first, take the time to understand your jurisdiction’s privacy laws. Make sure your security strategy doesn’t violate any rules when the time comes to implement cutting-edge—yet potentially controversial—security technology.
The new BOMA report offers cyber security advice for commercial property owners
We not only live in a world addicted to data, but one that often ignores cyber security.
From our smartphones to the digital personal assistants (Siri, Alexa) that have been marketed as tools to free our time for leisurely pursuits—the jury’s still very much out on whether they’re helping most of us achieve that goal—an increasing number of interactions in our daily lives involve internet-connected digital devices that track human behaviour. Most of this data is benign and has little application outside of the marketing world. When I mention visiting a destination on a social media account, for example, I suddenly find ads for that destination in my news feed. It’s annoying, maybe, but not necessarily a major breach of privacy.
Now, what happens when smart devices start tracking and collecting information across the commercial property?
Connected commercial properties
No need to wonder because that’s likely already happening in a building you occupy, and perhaps the one you’re sitting in right now. Everything from your building’s door card readers and fire alarm panels to its HVAC system, surveillance cameras, and thermostats could well be connected to the Internet. The potential for efficiencies, cost savings, and property performance improvements are almost too numerous to summarize in a single article. But so, too, are the cyber security risks.
While security firms such as ours still guard against so-called traditional thieves—thieves who break into a facility intent on stealing merchandise or equipment, or engaging in vandalism, for example—Wincon Security has evolved into an integrated solutions provider in recent years precisely because an equal and fast-growing risk exists in the online realm. Sophisticated malfeasants, many of whom are connected to overseas organized crime rings, are looking for easy targets. That means organizations or commercial property owners reluctant or unwilling to invest in a holistic, digitally-focused security strategy to protect their assets are gravely exposed.
Why wait-and-see never works
Unfortunately, many organizations take a cross-your-fingers approach to security, betting that they’re too small or their data is too invaluable to draw the attention of cyber thieves. That is until they’re hit. Then most are left scrambling trying to restore systems or pay ransoms to recover data and rebuild their businesses after an online attack.
So great is the threat that BOMA Canada recently published a Cyber Wellness Guide for commercial property owners. In it, the organization notes:
The IIoT (Industrial Internet of Things) currently in the market is geared towards user value and hasn’t necessarily been looked at from a thorough cyber security perspective. That increases the onus on building managers to have a robust plan to prevent and deal with cyber issues.
In addition to the expanding network of smart devices, attackers are also becoming more persistent and patient, whether it is to gain ransom from you or to cause other damage. In addition to local hackers who may use phishing attacks or ransomware to cause potential damage, there are international threats too as proximity does not matter when dealing with cyber risks, and no sector is immune.
Indeed, it’s not alarmist to assume that a hacker could breach your building’s cyber defences (assuming they’re in place, which isn’t always a given), steal data, and even coordinate with thieves to break into your facility. If your organization happens to deal in high-value or sensitive materials, this is of particular concern. So, what’s a property owner or manager to do?
Be proactive to bolster cyber security
As the BOMA report notes, it all starts with preparation. Having tools such as firewalls, anti-virus software or endpoint security on laptops and other vulnerable devices in place is crucial. Huge advancements are also being made with artificial intelligence technology to detect breaches long before they become obvious or increase risk. Of course, staff training is another important consideration—and that includes making sure that security personnel is as well trained in mitigating cyber threats as they are in monitoring traditional causes of building vulnerability or standing on guard to prevent incidents such as physical break-ins.
Having a significant security budget in place is another important consideration that many property owners overlook—particularly if they’re prone to trying to look for ways to maximize profitability at the expense of all other considerations. That budget should include line items for both physical and cyber security measures. From there your team will need a cyber security plan that can be implemented at a moment’s notice if a data breach occurs. The plan should be customized to your specific needs and be comprehensive enough to address a range of possible scenarios.
Most importantly, be sure to work with a security provider who understands the risks involved as the IIoT becomes ubiquitous, cyber threats increase and the need for solutions integration becomes more important than ever. Because the last thing any busy commercial property owner should waste time fretting over is whether a hacker in some far-flung locale is preparing to compromise the security of their data or their facility.
INTERESTED IN CYBER SECURITY CONSULTING?
FILL OUT OUR QUOTE FORM AND GET STARTED TODAY!
Winston Stewart, President and CEO
Wincon Security