Privacy Breaches –
The Private Sector Perspective

      OBA, June 8, 2009

        Mark S. Hayes
   Partner, Hayes eLaw L...
Summary
• Privacy breaches are messy
• Organization responses to privacy
  breaches are not models of efficiency and
  log...
Breach Guidelines
• Current guidelines are useful and
  reasonably practical
• Four step response plan is a good general
 ...
Breach Notification
• Similarly, advice in documents like B.C.’s
  “Key Steps For Responding To Privacy
  Breaches” is of ...
However……..
• All of these guidelines can’t tell people in
  the trenches what they should do when
  dealing with a real-l...
A Case Study
• Famous Harvard Business Review case study
  – Medium-sized retailer told by police it appears to be
    com...
Experts' Advice
• James E. Lee, ChoicePoint
   – Advises early and frank external and internal
     communications, elimin...
The Conundrum
• All of this may be good advice, but not
  identical and sometimes conflicting
  – Typical when an organiza...
The Real World – Pre-Breach
• Privacy often seen as a small and relatively
  unimportant compliance requirement
  – Not co...
The Real World – Dealing With A Breach

• Data breaches are really, really messy
  – Incomplete or incorrect information
 ...
The Real World – Dealing With A Breach

• Multiple risk management priorities
  – While organizations have concerns about
...
The Real World – Dealing With A Breach

• Lack of authority (or interest) to respond
  without senior management approval
...
The Real World – Dealing With A Breach

• Many data breaches involve >1 organization
• Ability to investigate and respond ...
Why Does This Matter?
• Policy makers and regulators should be
  sensitive to organizational dynamics
  – Organizations ar...
Why Does This Matter?
• Regulators must try to support CPO
• Usually friend of privacy but often caught
  amongst many com...
Why Does This Matter?
• Regulators must understand role fear and
  distrust play in relationship with organizations
  – Ne...
Do No (More) Harm
• Bottom line for organizations and regulators
• While quick action is required, any action
  before fac...
Questions?
   For a digital copy of
   these slides, just ask!

  mark@hayeselaw.com
Upcoming SlideShare
Loading in …5
×

Privacy Breaches - The Private Sector Perspective

406 views
344 views

Published on

privacy data breach preparation

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
406
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Privacy Breaches - The Private Sector Perspective

  1. 1. Privacy Breaches – The Private Sector Perspective OBA, June 8, 2009 Mark S. Hayes Partner, Hayes eLaw LLP
  2. 2. Summary • Privacy breaches are messy • Organization responses to privacy breaches are not models of efficiency and logic • IPCs can assist organizations, but only if assistance is not viewed as a threat • If in doubt, do no (more) harm!
  3. 3. Breach Guidelines • Current guidelines are useful and reasonably practical • Four step response plan is a good general guide • Everything is much easier if proper steps taken in advance
  4. 4. Breach Notification • Similarly, advice in documents like B.C.’s “Key Steps For Responding To Privacy Breaches” is of assistance in deciding whether and how to notify • With minor exceptions, latest Industry Canada Breach Notification Model has struck right balance between protection of public and knee-jerk reactions that cause more harm than good
  5. 5. However…….. • All of these guidelines can’t tell people in the trenches what they should do when dealing with a real-life data breach • Reality of organizations • Nature of breaches • Nature of internal responsibilities and responses
  6. 6. A Case Study • Famous Harvard Business Review case study – Medium-sized retailer told by police it appears to be common point of purchase for large number of fraudulent credit card transactions – Not clear if company and its (less than airtight) IT systems are cause of apparent data breach – Customers have come to respect firm for its straight talk and square deals – Law enforcement wants them to stay quiet for now – Reputation at stake; path to preserving it difficult to see
  7. 7. Experts' Advice • James E. Lee, ChoicePoint – Advises early and frank external and internal communications, elimination of security weaknesses, and development of a brand-restoration strategy • Bill Boni, Motorola – Stresses prevention: comprehensive risk management, full compliance with PCI standards, putting digital experts on staff, consulting established model response plan and making preserving firm's reputation • John Philip Coghlan, formerly of Visa USA – Recommends swift disclosure to empower consumers to protect themselves against further fraud; might even enhance company's reputation for honesty • Jay Foley, Identity Theft Resource Center – Recommends quality of communication over speed of delivery; cautious management to prevent data thefts and long-term negative consequences
  8. 8. The Conundrum • All of this may be good advice, but not identical and sometimes conflicting – Typical when an organization discovers that it might have experienced a data breach – Organization often gets much advice and guidance, but no clear answers • Want to discuss responses to data breaches in real world
  9. 9. The Real World – Pre-Breach • Privacy often seen as a small and relatively unimportant compliance requirement – Not core to organization – Handled at a middle management level with periodic reporting to senior management – Compliance with privacy requirements is focus • Most organizations only have none or one serious data breach – Only actual breach focuses senior management on privacy
  10. 10. The Real World – Dealing With A Breach • Data breaches are really, really messy – Incomplete or incorrect information – Time and resource pressures – Confusing and contradictory internal and external priorities and policies – Poor internal coordination of response – Poor communications • Often no organized response team or list of internal and external contacts and back-ups • Fear!
  11. 11. The Real World – Dealing With A Breach • Multiple risk management priorities – While organizations have concerns about individuals affected by data breaches, also concerned about organizational risk – Many other risk management priorities in addition to privacy and damage to individuals – Risk emphasis may depend on locus of privacy compliance management • Personal view of the elephant
  12. 12. The Real World – Dealing With A Breach • Lack of authority (or interest) to respond without senior management approval • Confusion about responsibility for security as opposed to privacy – Especially true for IT security – CPO may have little knowledge of, or influence on, IT security procedures, even in urgent situation • Most often internal resources not sufficient – Obtaining expert assistance takes time and money; often both in short supply
  13. 13. The Real World – Dealing With A Breach • Many data breaches involve >1 organization • Ability to investigate and respond to breach not solely in control of organization – Service providers – Subsidiaries and affiliates – Business partners (e.g. credit card issuers) • Contracts may not allow organization to control how to deal with breach, even though it may have most of risk and responsibility • Internal resources and priorities at other organizations may conflict
  14. 14. Why Does This Matter? • Policy makers and regulators should be sensitive to organizational dynamics – Organizations are not monoliths, but individuals who are sometimes struggling • Guidelines are useful, but starting point only – “Take reasonable steps” does not provide much assistance in middle of tornado • Each situation must be understood on basis of dynamics of organization
  15. 15. Why Does This Matter? • Regulators must try to support CPO • Usually friend of privacy but often caught amongst many competing interests – Board of directors – Senior management – Other employees – Customers – Investors – Outside advisors – Media
  16. 16. Why Does This Matter? • Regulators must understand role fear and distrust play in relationship with organizations – New people often involved in data breach response • Especially applicable to decision to notify regulator about data breaches – Concern that disclosure will create liability – Concern about access to information requests • If compulsory notification is instituted, organizations must have assurances about potential uses of information
  17. 17. Do No (More) Harm • Bottom line for organizations and regulators • While quick action is required, any action before facts are known can make things worse – Must avoid making response to privacy breaches part of the problem • Understanding of risks resulting from breach is crucial, but can take some time • While guidelines are useful, very few “hard and fast” rules that will apply in all situations
  18. 18. Questions? For a digital copy of these slides, just ask! mark@hayeselaw.com

×