Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)


Published on

Privacy breaches are in the news, but it\'s difficult for organizations to know how to respond. This brief presentation reviews some of the steps.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)

  1. 1. Privacy Breaches in Canada – Some Legal and Practical Considerations Mark Hayes LSUC/IT.Can Spring Training Toronto, May 1, 2009
  2. 2. Privacy Breaches • Not news that privacy breaches are increasingly a big deal – much media attention – politicians are interested – public is concerned • For organizations, costs are significant – financial costs in the millions – reputational cost may be even higher
  3. 3. The Questions Everyone Asks 1. Do we have to tell anyone about this? 2. What the heck should I do about this? 3. Can we be liable for this? • Some caveats – there are no “one size fits all” answers – specific facts are very important – must use judgment and common sense
  4. 4. Q1: Do We Have To Tell Anyone About This? • Privacy breach notification is a hot button issue • Most US states have passed legislation requiring notification – sometimes to individual directly – sometimes to regulator
  5. 5. Compulsory Notification – Arguments for: • autonomy of individual • may be some steps that can be taken to minimize risk and potential damage to individual • satisfies demands to “do something” – Arguments against: • high costs with little demonstrated benefit • recent studies found little or no reduction in ID theft • over-notification and “notice fatigue”
  6. 6. Ontario PHIPA • Only Canadian privacy statute with compulsory notification requirement • Section12(2): – “... a health information custodian that has custody or control of personal health information about an individual shall notify the individual at the first reasonable opportunity if the information is stolen, lost, or accessed by unauthorized persons. .. .”
  7. 7. Ontario PHIPA • Despite unqualified language of section 12(2) – notification does not have to be sent in every case of a “privacy breach” – individual notification is not necessary in every case
  8. 8. Order HO-004 • Researcher from Sick Kids had laptop stolen – simple password on laptop; no encryption – some information very sensitive • OIPC reviewed privacy procedures of Sick Kids and found some significant gaps
  9. 9. Order HO-004 • Two important findings – notification not necessary if information is encrypted • did not discuss particular standards, but today 128 bit is required – in certain circumstances, alternatives to individual notices may be sufficient (newspaper ads, notices on web site, etc.)
  10. 10. Notification And General Security Obligations • Most Canadian privacy statutes do not deal explicitly with notification • All of them have security obligation – e.g. PIPEDA Principle 4.7: “personal information shall be protected by security safeguards appropriate to the sensitivity of the information” • Does this create notification obligation?
  11. 11. BC Investigation Report F06-01 • March 2006 • Government computer tape sold at scrap auction, but was not erased • Buyer discovered error and notified media • Notification not presumed or compulsory • Should consider notification as one way to minimize the impact of a privacy breach on affected individuals
  12. 12. Other Notification Requirements • Specific laws, regulations, industry codes of conduct or other rules applicable to organization • Contractual requirements that require disclosure • Nature of relationship between the organization and individual may require disclosure of privacy breach – e.g. where organization is fiduciary or agent for individual
  13. 13. Proposals for Reform • PIPEDA five-year (?) review ongoing • Standing Committee on Access to Information, Privacy and Ethics Report released May 2007 • Committee proposed requiring notification to Commissioner of some, but not all, privacy breaches – Commissioner to have discretion to decide whether individual notices were warranted and what form should be • Government proposal • Privacy Commissioner be notified of major breach • Individuals notified when there is a high risk of significant harm • PIPEDA will at some point have notification requirement
  14. 14. Strategies Surrounding Notification • Doing nothing is not a viable alternative – unexpected disclosure of privacy breach more damaging than fact of breach itself – periodic financial audit and reporting – internal “whistleblowers” – unrelated regulatory audits or investigations • Must approach as risk-management exercise
  15. 15. Breach Notification Assessment Tool • Published by B.C. and Ontario IPCs in December, 2006 • Steps to be taken by organization in deciding whether to notify individuals or regulators about privacy breach • Presumes that notification will be required in some, but not all, circumstances
  16. 16. Tool’s Four Steps • Step 1: Notify Affected Individuals? • Step 2: When and How to Notify • Step 3: What to Include in the Notification • Step 4: Others to Contact • Only deals with notification – other responses to privacy breach considered later
  17. 17. 1. Notify Affected Individuals? • Statutory, regulatory or contractual requirements? • Assess risks to affected individuals – identity theft – physical harm (e.g. stalking) – hurt, humiliation, damage to reputation – loss of business or employment opportunities • Note no consideration of risks to organization
  18. 18. 2. When to Notify • Notification should be as soon as possible – limited circumstances where delay is appropriate (e.g. ongoing police investigation) • Often should wait until reasonably sure that data breach has in fact occurred – sending notices to individuals prematurely may in fact cause more harm than good
  19. 19. 2. How to Notify • Direct notification by letter or email is preferred • Alternatives may be justified where: – direct notification could cause further harm – direct notification is prohibitive in cost – contact information is missing or likely to be inaccurate
  20. 20. 3. What to Include in Notification • Date and description of breach and what information inappropriately accessed, collected, used or disclosed • Summary of steps to control or reduce harm • Steps planned to prevent further breaches • How individuals can protect themselves • How to complain to appropriate privacy regulator • Contact information for person who can provide additional information and assistance and answer questions
  21. 21. 4. Others to Contact • Law enforcement (if it appears breach resulted from criminal act) • Commissioner’s office • Appropriate professional or regulatory bodies • Technical suppliers (if the breach resulted from technical failure or underlying vulnerability)
  22. 22. Caveats About Tool • Written from the point of view of the IPC • Ignores concerns that organization may have in dealing with these issues – e.g. how to deal with the media and other stakeholders • Does not give guidance about drafting notification letters or notices • Useful resources and guidelines from U.S. states that have implemented breach notification obligations
  23. 23. Q2: What The Heck Should I Do About This? • Each individual situation may require different strategies – impossible to generalize - requirements differ • Response will depend on many factors: – nature of breach – nature of organization • Should consider creating privacy breach protocol before incident occurs
  24. 24. Privacy Breach Protocol • So why doesn’t everyone have one? – cost (or perceived cost) – lack of privacy coordinator with skills or authority to ensure that protocol is established and implemented – competitors have not developed protocol – general attitude that “it won’t happen to us.”
  25. 25. Key Steps In Breach Response 1. Containment 2. Risk Assessment 3. Notification 4. Remediation and Review • All steps may not apply to every breach response
  26. 26. 4. Remediation and Review • May be most important step • Thoroughly investigate the cause of the breach • What steps, if any, needed to prevent future incidents? • Extent of review largely based on preparedness before incident occurred
  27. 27. Remediation Steps • Privacy audit – analyze information that is collected, used and disclosed by organization – identify issues of non-compliance with applicable privacy laws, industry guidelines, contractual obligations – update existing privacy audit and assess its continuing viability
  28. 28. Remediation Steps • Review and update privacy policies and procedures – reflect the “lessons learned” from breach investigation • Plan scheduled audit to ensure changes are implemented • Implement privacy breach protocol or review existing protocol’s effectiveness
  29. 29. Remediation Steps • Train employees – must understand organization’s privacy obligations – knowledge of privacy breach protocol – consider refreshers of previous training – changes or additions to training program
  30. 30. Can We Be Liable For This? • Potentially many sources of liability for personal information breach – private sector personal information privacy statutes – general purpose privacy legislation – common law • No clarity yet in any of these areas • Some class actions have been commenced, but none certified
  31. 31. International Breach Issues • Many foreign jurisdictions have more draconian penalties (financial and otherwise) than under Canadian laws • In some jurisdictions, penalties can be applied against officers and directors • Foreign privacy laws may require – notification to regulators, consumers and other entities – specific remediation and risk reduction techniques • credit monitoring and counselling services
  32. 32. International Breach Issues • Consider both proactive and reactive steps • Assess nature of personal information in possession or control – significant amount of information about foreign residents or citizens? – Is personal information stored or processed in a foreign jurisdiction? • Compile list of jurisdictions where privacy breach could engage application of local privacy laws • Get summary of applicable laws in event of breach • Adjust breach response protocol
  33. 33. Bottom Line • Privacy breaches have potential to be expensive, embarrassing and damaging to organizations and affected individuals • Information security and procedures will not prevent all breaches • Organizations must prepare for the worst – and hope for the best!
  34. 34. Thank You! For a copy of these slides, just ask!