Privacy Breaches - The Private Sector Perspective

Privacy Breaches – The Private Sector Perspective Mark S. Hayes Blake, Cassels & Graydon LLP PIPA Conference 2008 Calgary, Alberta November 17, 2008

Summary
Privacy breaches are messy
Organization responses to privacy breaches are not models of efficiency and logic
IPCs can assist organizations, but only if assistance is not viewed as a threat
If in doubt, do no (more) harm!

Breach Guidelines
Current guidelines are useful and reasonably practical
Four step response plan is a good general guide
Completely agree with Catherine’s “Thing’s You Wish You’d Done”
Everything is much easier if proper steps taken in advance

Breach Notification
Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify
With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good

However……..
All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach
Reality of organizations
Nature of breaches
Nature of internal responsibilities and responses

A Case Study
Famous Harvard Business Review case study
Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions
Not clear if company and its (less than airtight) IT systems are cause of apparent data breach
Customers have come to respect firm for its straight talk and square deals
Law enforcement wants them to stay quiet for now
Reputation at stake; path to preserving it difficult to see

Experts' Advice
James E. Lee, ChoicePoint
Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy
Bill Boni, Motorola
Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation
John Philip Coghlan, formerly of Visa USA
Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty
Jay Foley, Identity Theft Resource Center
Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences

The Conundrum
All of this may be good advice, but not identical and sometimes conflicting
Typical when an organization discovers that it might have experienced a data breach
Organization often gets much advice and guidance, but no clear answers
Want to discuss responses to data breaches in real world

The Real World – Pre-Breach
Privacy often seen as a small and relatively unimportant compliance requirement
N ot core to organization
Handled at a middle management level with periodic reporting to senior management
Compliance with privacy requirements is focus
Most organizations only have none or one serious data breach
Only breach focuses senior management on privacy

The Real World – Dealing With A Breach
Data breaches are really, really messy
Incomplete or incorrect information
Time and resource pressures
Confusing and contradictory internal and external priorities and policies
Poor internal coordination of response
Poor communications
Often no organized response team or list of internal and external contacts and back-ups
Fear!

Multiple risk management priorities
While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk
Many other risk management priorities in addition to privacy and damage to individuals
Risk emphasis may depend on locus of privacy compliance management
Personal view of the elephant

Lack of authority (or interest) to respond without senior management approval
Confusion about responsibility for security as opposed to privacy
Especially true for IT security
CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation
Most often internal resources not sufficient
Obtaining expert assistance takes time and money; often both in short supply

Many data breaches involve >1 organization
Ability to investigate and respond to breach not solely in control of organization
Service providers
Subsidiaries and affiliates
Business partners (e.g. credit card issuers)
Contracts may not allow organization to control how to deal with breach, even though it may have most of the risk and responsibility
Internal resources and priorities at other organizations may conflict

Why Does This Matter?
Policy makers and regulators should be sensitive to organizational dynamics
Organizations are not monoliths, but individuals who are sometimes struggling
Guidelines are useful, but as a starting point only
“ Take reasonable steps” does not provide much assistance in middle of tornado
Each situation must be understood on the basis of dynamics of organization

Regulators must often try to support CPO
Usually friend of privacy but often caught amongst many competing interests
Board of directors
Senior management
Other employees
Customers
Investors
Outside advisors
Media

Regulators must understand role fear and distrust play in relationship with organizations
New people often involved in data breach response
Especially applicable to decision to notify regulator about data breaches
Concern that disclosure will create liability
Concern about access to information requests
If compulsory notification is instituted, organizations must have assurances about potential uses of information

Do No (More) Harm
Bottom line for organizations and regulators
While quick action is required, any action before facts are known can make things worse
Must avoid making response to privacy breaches part of the problem
Understanding of risks resulting from breach is crucial, but can take some time
While guidelines are useful, very few “hard and fast” rules that will apply in all situations

Questions?
For a digital copy of these slides, just ask!
[email_address]

Privacy Breaches - The Private Sector Perspective

by canadianlawyer

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Privacy Breaches - The Private Sector Perspective Presentation Transcript