Privacy Breaches - The Private Sector Perspective


Published on

Discusses issues that arise in organizations when faced with a privacy breach. Compares attitude and approach of organizations with those of privacy regulators.

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Privacy Breaches - The Private Sector Perspective

  1. 1. Privacy Breaches – The Private Sector Perspective Mark S. Hayes Blake, Cassels & Graydon LLP PIPA Conference 2008 Calgary, Alberta November 17, 2008
  2. 2. Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
  3. 3. Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Completely agree with Catherine’s “Thing’s You Wish You’d Done” – Everything is much easier if proper steps taken in advance
  4. 4. Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
  5. 5. However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
  6. 6. A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
  7. 7. Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
  8. 8. The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
  9. 9. The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only breach focuses senior management on privacy
  10. 10. The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
  11. 11. The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
  12. 12. The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
  13. 13. The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of the risk and responsibility • Internal resources and priorities at other organizations may conflict
  14. 14. Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but as a starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on the basis of dynamics of organization
  15. 15. Why Does This Matter? • Regulators must often try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
  16. 16. Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
  17. 17. Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
  18. 18. Questions? For a digital copy of these slides, just ask!