Privacy Breaches In Canada Lsuc It.Can May 1 2009 (Plain Background)
1. Privacy Breaches in Canada –
Some Legal and Practical
Considerations
Mark Hayes
LSUC/IT.Can Spring Training
Toronto, May 1, 2009
2. Privacy Breaches
• Not news that privacy breaches are
increasingly a big deal
– much media attention
– politicians are interested
– public is concerned
• For organizations, costs are significant
– financial costs in the millions
– reputational cost may be even higher
3. The Questions Everyone Asks
1. Do we have to tell anyone about this?
2. What the heck should I do about this?
3. Can we be liable for this?
• Some caveats
– there are no “one size fits all” answers
– specific facts are very important
– must use judgment and common sense
4. Q1: Do We Have To Tell Anyone
About This?
• Privacy breach notification is a hot button
issue
• Most US states have passed legislation
requiring notification
– sometimes to individual directly
– sometimes to regulator
5. Compulsory Notification
– Arguments for:
• autonomy of individual
• may be some steps that can be taken to minimize
risk and potential damage to individual
• satisfies demands to “do something”
– Arguments against:
• high costs with little demonstrated benefit
• recent studies found little or no reduction in ID theft
• over-notification and “notice fatigue”
6. Ontario PHIPA
• Only Canadian privacy statute with
compulsory notification requirement
• Section12(2):
– “... a health information custodian that has
custody or control of personal health
information about an individual shall notify the
individual at the first reasonable opportunity if
the information is stolen, lost, or accessed by
unauthorized persons. .. .”
7. Ontario PHIPA
• Despite unqualified language of section
12(2)
– notification does not have to be sent in every
case of a “privacy breach”
– individual notification is not necessary in
every case
8. Order HO-004
• Researcher from Sick Kids had laptop
stolen
– simple password on laptop; no encryption
– some information very sensitive
• OIPC reviewed privacy procedures of Sick
Kids and found some significant gaps
9. Order HO-004
• Two important findings
– notification not necessary if information is
encrypted
• did not discuss particular standards, but today 128
bit is required
– in certain circumstances, alternatives to
individual notices may be sufficient
(newspaper ads, notices on web site, etc.)
10. Notification And General Security
Obligations
• Most Canadian privacy statutes do not
deal explicitly with notification
• All of them have security obligation
– e.g. PIPEDA Principle 4.7: “personal
information shall be protected by security
safeguards appropriate to the sensitivity of the
information”
• Does this create notification obligation?
11. BC Investigation Report F06-01
• March 2006
• Government computer tape sold at scrap
auction, but was not erased
• Buyer discovered error and notified media
• Notification not presumed or compulsory
• Should consider notification as one way to
minimize the impact of a privacy breach on
affected individuals
12. Other Notification Requirements
• Specific laws, regulations, industry codes of
conduct or other rules applicable to organization
• Contractual requirements that require disclosure
• Nature of relationship between the organization
and individual may require disclosure of privacy
breach
– e.g. where organization is fiduciary or agent for
individual
13. Proposals for Reform
• PIPEDA five-year (?) review ongoing
• Standing Committee on Access to Information, Privacy
and Ethics Report released May 2007
• Committee proposed requiring notification to
Commissioner of some, but not all, privacy breaches
– Commissioner to have discretion to decide whether individual
notices were warranted and what form should be
• Government proposal
• Privacy Commissioner be notified of major breach
• Individuals notified when there is a high risk of significant harm
• PIPEDA will at some point have notification requirement
14. Strategies Surrounding Notification
• Doing nothing is not a viable alternative
– unexpected disclosure of privacy breach more
damaging than fact of breach itself
– periodic financial audit and reporting
– internal “whistleblowers”
– unrelated regulatory audits or investigations
• Must approach as risk-management
exercise
15. Breach Notification Assessment
Tool
• Published by B.C. and Ontario IPCs in
December, 2006
• Steps to be taken by organization in
deciding whether to notify individuals or
regulators about privacy breach
• Presumes that notification will be required
in some, but not all, circumstances
16. Tool’s Four Steps
• Step 1: Notify Affected Individuals?
• Step 2: When and How to Notify
• Step 3: What to Include in the Notification
• Step 4: Others to Contact
• Only deals with notification
– other responses to privacy breach considered
later
17. 1. Notify Affected Individuals?
• Statutory, regulatory or contractual
requirements?
• Assess risks to affected individuals
– identity theft
– physical harm (e.g. stalking)
– hurt, humiliation, damage to reputation
– loss of business or employment opportunities
• Note no consideration of risks to organization
18. 2. When to Notify
• Notification should be as soon as possible
– limited circumstances where delay is
appropriate (e.g. ongoing police investigation)
• Often should wait until reasonably sure
that data breach has in fact occurred
– sending notices to individuals prematurely
may in fact cause more harm than good
19. 2. How to Notify
• Direct notification by letter or email is
preferred
• Alternatives may be justified where:
– direct notification could cause further harm
– direct notification is prohibitive in cost
– contact information is missing or likely to be
inaccurate
20. 3. What to Include in Notification
• Date and description of breach and what
information inappropriately accessed, collected,
used or disclosed
• Summary of steps to control or reduce harm
• Steps planned to prevent further breaches
• How individuals can protect themselves
• How to complain to appropriate privacy regulator
• Contact information for person who can provide
additional information and assistance and
answer questions
21. 4. Others to Contact
• Law enforcement (if it appears breach
resulted from criminal act)
• Commissioner’s office
• Appropriate professional or regulatory
bodies
• Technical suppliers (if the breach resulted
from technical failure or underlying
vulnerability)
22. Caveats About Tool
• Written from the point of view of the IPC
• Ignores concerns that organization may have in
dealing with these issues
– e.g. how to deal with the media and other
stakeholders
• Does not give guidance about drafting
notification letters or notices
• Useful resources and guidelines from U.S.
states that have implemented breach notification
obligations
23. Q2: What The Heck Should I Do
About This?
• Each individual situation may require
different strategies
– impossible to generalize - requirements differ
• Response will depend on many factors:
– nature of breach
– nature of organization
• Should consider creating privacy breach
protocol before incident occurs
24. Privacy Breach Protocol
• So why doesn’t everyone have one?
– cost (or perceived cost)
– lack of privacy coordinator with skills or
authority to ensure that protocol is established
and implemented
– competitors have not developed protocol
– general attitude that “it won’t happen to us.”
25. Key Steps In Breach Response
1. Containment
2. Risk Assessment
3. Notification
4. Remediation and Review
• All steps may not apply to every breach
response
26. 4. Remediation and Review
• May be most important step
• Thoroughly investigate the cause of the
breach
• What steps, if any, needed to prevent
future incidents?
• Extent of review largely based on
preparedness before incident occurred
27. Remediation Steps
• Privacy audit
– analyze information that is collected, used
and disclosed by organization
– identify issues of non-compliance with
applicable privacy laws, industry guidelines,
contractual obligations
– update existing privacy audit and assess its
continuing viability
28. Remediation Steps
• Review and update privacy policies and
procedures
– reflect the “lessons learned” from breach
investigation
• Plan scheduled audit to ensure changes
are implemented
• Implement privacy breach protocol or
review existing protocol’s effectiveness
29. Remediation Steps
• Train employees
– must understand organization’s privacy
obligations
– knowledge of privacy breach protocol
– consider refreshers of previous training
– changes or additions to training program
30. Can We Be Liable For This?
• Potentially many sources of liability for
personal information breach
– private sector personal information privacy
statutes
– general purpose privacy legislation
– common law
• No clarity yet in any of these areas
• Some class actions have been commenced,
but none certified
31. International Breach Issues
• Many foreign jurisdictions have more draconian
penalties (financial and otherwise) than under
Canadian laws
• In some jurisdictions, penalties can be applied
against officers and directors
• Foreign privacy laws may require
– notification to regulators, consumers and other
entities
– specific remediation and risk reduction techniques
• credit monitoring and counselling services
32. International Breach Issues
• Consider both proactive and reactive steps
• Assess nature of personal information in
possession or control
– significant amount of information about foreign
residents or citizens?
– Is personal information stored or processed in a
foreign jurisdiction?
• Compile list of jurisdictions where privacy breach
could engage application of local privacy laws
• Get summary of applicable laws in event of breach
• Adjust breach response protocol
33. Bottom Line
• Privacy breaches have potential to be
expensive, embarrassing and damaging to
organizations and affected individuals
• Information security and procedures will
not prevent all breaches
• Organizations must prepare for the worst –
and hope for the best!
34. Thank You!
For a copy of these slides, just
ask!
mark@hayeselaw.com