TikTok has quickly become one of the most popular social media platforms among Canadians, with millions of users creating and sharing short-form videos every day. While the app was initially known for its popularity among young people, it has recently gained traction among businesses looking to connect with a broader audience. However, as with any technology, TikTok poses potential privacy and security risks for those who use it. Canadian businesses should be aware of these risks before jumping on the TikTok bandwagon.

This article will explore the risks associated with using TikTok for business purposes and provide tips and best practices for mitigating those risks.

Privacy Concerns on TikTok

Like any social media platform, TikTok collects significant user data, including location information, browsing history, and device identifiers. While TikTok has stated that this data is used to personalize the user experience and serve relevant ads, there is potential for this data to be mishandled or exploited.

For example, in 2020, TikTok was caught accessing the clipboard data of iOS users without their permission, raising concerns about the company's data collection practices. Additionally, there have been reports of TikTok sharing user data with the Chinese government, which has led to bans or restrictions on the app in some countries.

These privacy concerns are not just limited to individual users but also apply to businesses that use TikTok as a marketing tool. Suppose a business's data is compromised on TikTok. In that case, it could have serious consequences, such as damage to reputation, loss of customer trust, or legal repercussions. 

Therefore, Canadian businesses need to be aware of the privacy risks associated with TikTok and take steps to protect their data.

Security Risks on TikTok

In addition to privacy concerns, TikTok also poses potential security risks for businesses. The app's algorithm, which is responsible for suggesting content to users based on their interests, has been criticized for being easily manipulated. This means malicious actors could use the algorithm to spread fake news, propaganda, or other harmful content.

Furthermore, there have been reports of security breaches on TikTok, including phishing scams and malware attacks. These attacks can be especially damaging for businesses, as they may result in the theft of sensitive information or financial losses.

While TikTok has implemented security measures to mitigate these risks, it is ultimately up to individual users and businesses to take responsibility for their own security. By using strong passwords, enabling two-factor authentication, and monitoring for suspicious activity, Canadian companies can reduce the likelihood of security breaches on TikTok.

It is also important to note that TikTok's security risks are not unique to the app - businesses must be vigilant about security on all social media platforms and digital channels.

Mitigating Risks on TikTok

While the risks associated with using TikTok for business purposes cannot be completely eliminated, there are several steps that Canadian businesses can take to protect their privacy and security on the platform.

First and foremost, it is vital to review TikTok's terms of service and privacy policy before signing up. This will give businesses a clear understanding of how their data will be used and what measures TikTok has in place to protect user privacy and security.

Canadian businesses should also be mindful of the amount of personal or sensitive information they share on TikTok. This could include avoiding sharing confidential business information or personal employee data on the platform. Businesses should also consider limiting the amount of data that third-party apps or services have access to through TikTok.

Another important step for businesses to take is to use strong, unique passwords and enable two-factor authentication on their TikTok accounts. This will help to prevent unauthorized access to the account and protect against hacking attempts.

Finally, businesses should be vigilant about monitoring and reporting suspicious activity on TikTok. This could include monitoring for unusual login attempts or messages, reporting suspected phishing or malware attacks, and reporting any content that violates TikTok's community guidelines.

By following these tips and best practices, Canadian businesses can reduce the risks associated with using TikTok for business purposes and protect their privacy and security on the platform.

Specific Areas of Concern in TikTok's Terms of Service

TikTok's Terms of Service outline the platform's policies and guidelines for users. Here are some areas of concern related to privacy and security:

1. Collection of Personal Data: TikTok collects a significant amount of personal data from its users, including their location, browsing and search history, device information, and content they create and share. While the company claims that this data is used to personalize the user experience and improve the app's functionality, it raises concerns about the potential misuse of this data.

2. Sharing of Personal Data: TikTok may share user data with third-party companies, including advertisers, business partners, and service providers. While the company claims that it only shares this data for specific purposes, it raises concerns about the potential for this data to be misused or compromised.

3. User-generated Content: TikTok's Terms of Service state that user-generated content may be used and shared by the company for promotional purposes, without providing any compensation to the user. This raises concerns about the ownership and control of the content that users share on the platform.

4. Security Measures: While TikTok claims to have implemented security measures to protect user data, there have been reports of security vulnerabilities and data breaches. This raises concerns about the platform's ability to protect user data from unauthorized access or misuse.

Overall, TikTok's Terms of Service raise significant concerns about privacy and security, particularly related to the collection, sharing, and use of user data. It is important for users to be aware of these risks and take appropriate steps to protect their personal information.

Conclusion

TikTok has become a popular marketing tool for Canadian businesses looking to connect with a broader audience. However, it is essential to recognize that the platform also poses privacy and security risks that should be addressed. In this article, we have discussed the potential risks associated with using TikTok for business purposes, including privacy concerns and security risks, and provided tips and best practices for mitigating those risks.

Canadian businesses should be aware of these risks and take steps to protect themselves on TikTok, including reviewing TikTok's terms of service and privacy policy, minimizing the amount of personal or sensitive information shared on the platform, using strong passwords and enabling two-factor authentication, and monitoring and reporting suspicious activity.

While TikTok can be a valuable marketing tool for businesses, it is crucial to recognize that these risks are not unique to the platform. Both large and small companies must be vigilant about privacy and security on all digital channels and social media platforms. By taking the necessary precautions and staying informed about the latest security threats, Canadian businesses can use TikTok safely and effectively.

Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million

The federal government of Canada, through the Office of the Minister of Innovation, Science and Industry, has proposed a new privacy law for the private sector that aims to impose a stronger fine on organizations that remiss in protecting the privacy of Canadians.

The new proposed privacy law called the “Consumer Privacy Protection Act (CPPA),” also known as the Digital Charter Implementation Act, 2020, aims to impose administrative fines of up to 3% of global revenue or $10 million, whichever is higher, for non-compliant organizations. This new proposed privacy law also aims to impose fines for certain serious violations of the proposed law of up to 5% of global revenue or $25 million, whichever is higher.

Section 57, paragraph 3 of the Digital Charter Implementation Act, 2020 states that “security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.”

"The COVID-19 pandemic has accelerated the digital transformation, which is changing how Canadians work, access information, access services, and connect with their loved ones,” said Navdeep Bains, Minister of Innovation, Science, and Industry. “This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology, we need a system where they know how their data is used and where they have control over how it is handled.”

Right to be Forgotten

The new proposed privacy law has its own version of the principle of "Right to be Forgotten." This right, also known as the right to erasure, gives individuals the right to ask organizations to delete their personal data.

The Digital Charter Implementation Act, 2020 gives Canadians the ability to demand that their personal information on platforms, including social media platforms, be permanently deleted in case when consent is withdrawn or when information is no longer necessary.

Canada’s Major Data Breach

In November 2019, LifeLabs, Canada’s largest provider of general diagnostic and specialty laboratory testing services, informed the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) that cybercriminals gained entry into the company’s systems, extracted data and demanded a ransom. LifeLabs informed the IPC and OIPC that the data breach affected systems that contained information of approximately 15 million LifeLabs customers (nearly half of Canada’s total population), including names, physical addresses, email addresses, customer usernames and passwords, health card numbers, and lab tests. The vast majority of these affected customers are from British Columbia and Ontario.

A joint investigation conducted by IPC and OIPC found that LifeLabs failed to protect the personal information of millions of Canadians resulting in a significant data breach in 2019. According to the two offices, LifeLabs failed to take the following reasonable steps:

• Protect the personal health information in its electronic systems;
• Adequate information technology security policies in place; and
• Collected more personal health information than was reasonably necessary.

The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia both ordered LifeLabs to implement a number of cybersecurity measures to address the company’s shortcomings. Despite their findings, however, the two offices didn’t impose financial penalties on LifeLabs as there’s no law that allows them to.

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” said Michael McEvoy, Information and Privacy Commissioner of British Columbia. “This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”

In a separate statement, LifeLabs said that as a result of the cyberattack, it took several measures, including retrieving the data by “making a payment.” The company, however, didn’t mention how much it paid to the attackers.

The company also didn’t mention ransomware. While the LifeLabs cyberattack has the markings of a ransomware attack, it isn’t confirmed whether the attack was a ransomware attack. 

Traditionally, ransomware attacks encrypt victims’ files, locking out victims from these files. Ransomware attackers then demand ransom from victims in exchange for the decryption keys that would unlock the locked files. Majority of today’s ransomware attackers also demand an additional ransom payment in exchange for the non-publication of the stolen data gathered during the ransomware attack.

Personal Health Information Protection Act (PHIPA)

On March 25, 2020, the Ontario government amended the Personal Health Information Protection Act (PHIPA), Ontario’s health privacy law. Once implemented, Ontario will be the first Canadian province to levy monetary penalties against individuals and companies that contravene the province’s health privacy law.

The amendment to PHIPA doubles the maximum fines for an offense to $200,000 for individuals and $1,000,000 for corporations. The amendment also mandates that an individual be imprisoned up to a year for an offense.

“Perhaps most significantly, once regulations are in place, my office [Information and Privacy Commissioner of Ontario] will be given the power to levy monetary penalties against those who contravene our health privacy law, including for breaches, such as those resulting from abandoned records,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “Privacy commissioners across the country have been calling for the power to impose administrative penalties, and Ontario will be the first to enshrine it into legislation.”

Data Breach Reports Skyrocket After Implementation of Canada’s Privacy Law

The recent report from the Office of the Privacy Commissioner of Canada showed that data breach reports in Canada skyrocketed after the implementation of the mandatory data breach reporting required under the country’s privacy law.

Mandatory Data Breach Reporting

On November 1, 2018, organizations across Canada became subject to the mandatory data breach reporting under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Prior to the mandatory data breach reporting, data breach reporting was done on a voluntary basis.

Organizations subject to PIPEDA are required to report to the Office of the Privacy Commissioner of Canada any data breaches that pose a real risk of significant harm to an individual or individuals. The law also requires that the affected individual or individuals should be notified and records of all data breaches should be kept within the organization.

The Numbers After One Year of Implementation

Last November 1st, one year after the implementation of the mandatory data breach reporting, the Office of the Privacy Commissioner of Canada reported that breach reporting “skyrocket”, increasing six times the volume that the office had received during the same period one year earlier. According to the Office of the Privacy Commissioner of Canada, from November 1, 2018 to October 31, 2019, a total of 680 breaches were reported to the office, affecting over 28 million Canadians.

The Office of the Privacy Commissioner of Canada said that while some of those reports involved well-known corporate names, a significant volume came from small and medium-sized businesses.

Fifty-eight percent or 397 of the reported breaches, which made up the majority of reported breaches, involved unauthorized access, the Office of the Privacy Commissioner of Canada said. Key factors behind breaches resulting from unauthorized access were social engineering hacks and malicious insiders.

According to the Office of the Privacy Commissioner of Canada, more than one in five or 147 data breaches reported over the past year involved accidental disclosure, which includes sending critical information to the wrong person as a result of incorrect email or postal address or accidental exposure.

The Office said roughly one in four of the reported breaches involved social engineering attacks such as phishing and impersonation. In phishing attacks, attackers send malicious emails containing malicious links or attachments. Once this malicious link or attachment is clicked, it installs malicious software (malware) on the email receiver’s computer.

Impersonation

In impersonation, the tactic used in business email compromise (BEC) scams, fraudsters convince employees at an organization that they are someone. In a BEC scam, a fraudster impersonates via a spoofed email, for instance, a CEO and convinces an employee of an organization to release a certain amount to a bank account controlled by the fraudster.

According to the Office of the Privacy Commissioner of Canada, it observed a growing impersonation scam in the telecommunications industry. In the tactic known as SIM swap, an impersonator convinces a customer service representative of a telecommunication company into believing that he or she is an account holder. Successfully convincing a customer service representative, enables the impersonator to make changes to the account, including the change of a phone number to be assigned to a new SIM card controlled by the impersonator, allowing the impersonator to access other accounts.

In related information, the U.S. Federal Bureau of Investigation (FBI) recently issued an alert to its partner organizations warning them about SIM swap. According to the FBI, between 2018 and 2019, SIM swap is the most common tactic used by malicious actors in bypassing the two-factor authentication (2FA), which resulted in draining the bank accounts of the victims and passwords and PINs changed.

Notable Reported Breaches

The reported breaches at the financial cooperative Desjardins and financial holding company Capital One are two of the notable breaches over the past year as these two breaches affected millions of Canadians. The Desjardins data breach, which was initially announced in June 2019, affected 4.2 million Canadians; while the Capital One data breach, which was initially announced in July 2019, affected 6 million Canadians.

Desjardins attributed the data breach to one suspect, a former employee; while Capital One attributed the data breach to a “specific configuration vulnerability” in its public cloud infrastructure – a vulnerability that was exploited by one suspect, a former employee of the public cloud infrastructure, the Amazon Web Services (AWS).

Amazon, for its part, said in a statement, “AWS was not compromised in any way and functioned as designed.” The company added that the Capital One data breach, which also affected 100 million individuals in the United States, wasn’t a result of a vulnerability in the cloud server itself, but by a misconfiguration of firewall settings on a web application, managed on the cloud server by Capital One.

Preventive and Mitigating Measures Against Data Breaches

The Office of the Privacy Commissioner of Canada offers the following cyber security measures in order to prevent or mitigate the effects of a data breach:

• "Know what personal information you have, where it is, and what you are doing with it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it!

• "Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities? Over the last year, the OPC [Office of the Privacy Commissioner] has seen each of these scenarios lead to a breach. Identify your organizations’ weak points before a breach identifies them for you!

• "Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news. Don’t be the next vulnerable target!”

NASA Data Breach May Have Put Personnel Information at Risk

In December 2018, news broke of a data breachat NASA. This is just one of the many cybersecurity issues to strike large organizations and businesses in recent months, including Facebook, Marriott and more.

It’s believed the attack may have compromised personnel data, potentially making Social Security numbers vulnerable. The breach was first discovered in October, in servers containing personally-identifiable details of NASA staff, though it was kept from staff for nearly two months.

Obviously, this is a major problem that no doubt inspired dread in anyone who believed they may have been affected. Sadly, it’s an ongoing risk when hackers continue to utilize ever-more sophisticated techniques to bring networks down or simply steal valuable information.

At the time of writing, the extent of the breach was still unknown but was assumed to affect both current and former NASA personnel (including those connected to NASA as far back as 2006).

However, such a breach may not be a surprise to anyone following NASA closely, as its cybersecurity has been flagged for its flaws in the past. Its Office of Inspector General had indicated there were problems with NASA’s entire IT management and security processes overall — something that no company of any size can afford to overlook.

The Importance of Effective Cybersecurity

For something as vast and well-known as NASA, cutting-edge security is essential to both defend against and deter potential attacks. Not only is the data of personnel under threat, but NASA is involved in a large number of important projects, and any interference, delays or disruptions could have significant repercussions.

An audit conducted at NASA’s Security Operations Center (based in California) revealed that it was underperforming in multiple ways. A reportfrom the Office of Inspector General concluded that the Security Operations Center had ‘fallen short’ of its purpose: to act as the driving force behind NASA’s cybersecurity efforts.

Lapses in management can affect cybersecurity in every company: a proper structure must be established to address potential risks, ways to manage attacks when they happen and strategies for handling the aftermath.

The NASA breach demonstrates that even technological powerhouses, responsible for some of the most mind-bending feats in history, may still fall prey to cyber-attacks.

Common Cybersecurity Pitfalls

It’s vital that your business or organization takes steps to avoid common pitfalls that essentially open the door for hackers to step into your network and help themselves to almost anything they like. What are these dangers and how do you address them?

A lack of education

Sadly, human error is one of the biggest culprits in cybersecurity flaws. While we might all like to believe we’re smart enough to stay safe online, it’s easy to make small mistakes with big consequences.

Weak passwords increase a business’s risk of attack, and all employees should be made aware of this. Likewise, sharing sensitive data with others and falling for common phishing scams can all reduce your company’s security.

This is why comprehensive education is so essential today. Even if you have intelligent staff who know their way around all of your tools and software, they could still make one tiny error that brings your entire network down.

Data breaches can chase existing and prospective customers away to competitors offering greater stability. Research shows consumers expect companies to keep their details safe, and 70 percent would walk awayfrom a brand if their finances were affected by a data breach the business should have prevented.

Undertake expert training for all staff, at every level, to minimize cybersecurity dangers. When your employees know how to create strong passwords, keep sensitive data private and spot phishing risks, you can offer customers a higher standard of protection against threats.

Depending on outdated security

Don’t leave your security software outdated — make sure you always update to the latest version and take full advantage of the defenses it offers.

While it can be easy to assume any form of firewalls and other programs designed to keep you safe will repel attacks, that’s not the case. Cybercriminals are well-versed in tiny flaws and know how to exploit them to gain access to systems, no matter how minor such gaps may seem.

If you know your security is weaker than it should be and hackers could find an obvious way into your network, take steps to address it immediately. You can’t depend on outdated software to stop the most up-to-date attacks.

Physical security oversights

Not only is effective cybersecurity fundamental to protect your employees’ and customers’ data, but physical security is just as important.

Your business site must be equipped with the best protection you can afford. Surveillance cameras, alarms, sensors, smart locks — utilize anything and everything available to keep your workplace safe from unwanted visitors.

Why? Because apart from the obvious problems related to theft, any laptops, USB sticks, hard drives or devices stolen from your office could all contain invaluable data. Thieves may either use this themselves or sell it on to cybercriminals set to target your personnel or clients.

Untrustworthy employees

Certain members of staff could seize an opportunity to steal sensitive data from your system and pass it on to others.

This may be for profit or out of a malicious aim to disrupt your operations, perhaps if they feel they have been mistreated or are due to leave the company. Whatever the circumstances, anyone with access to important information could cause major problems for your business if left unchecked.

While such individuals can cover their tracks and avoid suspicion for a long time, make sure you stay vigilant. Encourage employees to be aware of potential risks posed by colleagues and understand how important it is to report any suspicions they have.

Looking to learn more about how effective cybersecurity can protect your business from hackers in 2019? Want to work with a team of cybersecurity experts with the tools, training and techniques to help your company’s system stay secure?

Just reach out and get in touch!

Gov’t of Canada Moves Closer to Implementing Mandatory Data Breach Reporting by Publishing the Proposed “Breach of Security Safeguards Regulations”