Canadian organizations with control over personal information should be aware of the privacy vulnerabilities of Heartbleed and their related legal obligations. Below, we have summarized: (1) the risks of Heartbleed; (2) the notification obligations of organizations that have experienced a privacy breach; (3) amendments to those obligations, as proposed by the federal government; and (4) recommendations to protect your organization from privacy breaches and legal liability.
Heartbleed is a serious security vulnerability that exists in certain versions of the OpenSSL software. OpenSSL is an open source software module created to implement certain cryptographic functions and provide various utility functions. It is used in the websites of both public and private sector entities and it is also incorporated into network equipment made by manufacturers around the world. In a nutshell, Heartbleed is a vulnerability that enables a hacker to steal sensitive information such as credit card numbers, usernames, passwords, and other confidential or personal information from websites or network equipment protected through OpenSSL encryption that was previously thought to be virtually impossible to circumvent.
WHO IS AFFECTED BY HEARTBLEED?
Tens of millions of organizations operating websites of all sizes were vulnerable to the Heardbleed bug when the it was first discovered. In some instances, personal information was compromised before websites operators had a chance to fully implement remedies. For instance, despite quick measures to disable public access to its online services on April 8, 2014, the Canada Revenue Agency announced on April 14, 2014 that social insurance numbers of approximately 900 Canadians were downloaded by a hacker exploiting the Heartbleed bug.
CURRENT NOTIFICATION OBLIGATIONS AFTER A PRIVACY BREACH
The Personal Information Protection and Electronic Documents Act (“PIPEDA”) is the federal legislation that oversees and regulates the collection, use and disclosure of personal information by private organizations in all provinces and territories in Canada, with the exception of British Columbia, Alberta and Québec (each of which has substantially similar provincial legislation regulating private organizations). Currently, a private organization does not have any mandatory privacy breach notification requirements under PIPEDA, although such requirements are included in the proposed amendments to PIPEDA summarized below.
Alberta is the only Canadian jurisdiction that has instituted mandatory privacy breach notification requirements with respect to non-personal health information. Section 34.1(1) of the Alberta Personal Information Protection Act (the “Alberta PIPA”) requires an organization with personal information under its control to notify the Alberta Information and Privacy Commissioner with respect to “any incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure” (emphasis added). After such notification, the Alberta Information and Privacy Commissioner will decide whether the subject organization must notify the individuals affected by the breach.
The Manitoba Personal Information Protection and Identity Theft Prevention Act (the “Manitoba PIPITPA”), which received royal assent in 2013 but is not yet in force, also contains mandatory privacy breach notification requirements. However, the notification process is more direct than the process in the Alberta PIPA. An organization governed by the Manitoba PIPITPA is obligated to directly notify an individual, as soon as reasonably practicable, if “the personal information about the individual that is in its custody or under its control is stolen, lost or accessed in an unauthorized manner”. Note that, unlike the Alberta PIPA, the obligations set out in the Manitoba PIPITPA do not have a harm threshold. As a result, any type of privacy breach, regardless of the resulting level of harm, could trigger mandatory notification obligations under the Manitoba PIPITPA when it comes into force.
In addition to PIPEDA and the provincial equivalents, many provinces have also passed specific privacy legislation dealing with the collection, use and disclosure of personal health information by public and private sector health care providers. In some cases, breach notifications are mandatory. For instance, Section 49(1)(c) of New Brunswick’s Personal Health Information Privacy and Access Act provides that a custodian shall notify the individual to whom the information relates and the Access to Information and Privacy Commissioner if personal health information is stolen, lost, disposed of, except as permitted by law, or disclosed to or accessed by an unauthorized person. Similar breach notification requirements can be found in health-sector privacy legislation in Ontario and Newfoundland and Labrador.
In general, an organization with a privacy vulnerability that has not resulted in any unauthorized access or disclosure of personal information will likely not have any notification requirements, because a privacy breach has not occurred. However, if any unauthorized access or disclosure of personal information has occurred, the affected organization will be required to notify the applicable privacy commissioner (and, in certain cases, all of the affected individuals) of the privacy breach if the Alberta PIPA or the health-sector privacy legislation in Ontario, New Brunswick, or Newfoundland and Labrador applies.
PROPOSED AMENDMENTS TO PRIVACY LEGISLATION
In April 2014, the Canadian government introduced Bill S-4, the Digital Privacy Act, in the Senate. Bill S-4 proposes to amend PIPEDA to include, among other things, mandatory privacy breach notification requirements, similar to those currently in the Alberta PIPA. Under Bill S-4, if an organization suffers a breach of privacy that creates a “real risk of significant harm” to an individual, the organization will be required to, among other things, report the breach to the Privacy Commissioner of Canada, notify any individuals whose personal information is involved in the breach, and provide such individual(s) with guidance to reduce the risk of harm that could result from the breach. Lastly, the proposed amendments also grant enforcement powers to the Privacy Commissioner to fine organizations up to $100,000 for failing to report a privacy breach. For more information on the Digital Privacy Act, please see Keith Rose’s blog post “The Digital Privacy Act: Proposed Amendments to PIPEDA.”
PROTECTING YOUR ORGANIZATION
To protect your organization from Heartbleed and future vulnerabilities, we recommend that you:
- Determine whether you are vulnerable. Determine whether your website is vulnerable to the Heartbleed bug. You can test your website by using this tool.
- Remedy any vulnerabilities and comply with notification obligations. If your website is vulnerable to the Heartbleed bug, remedy the vulnerability immediately and determine whether personal information has been compromised. If so, determine your notification requirements. Failure to immediately remedy vulnerabilities and comply with notification requirements can expose your organization to liability. As described above, notification requirements vary by province, industry and organization. You may be obligated by statute to notify the applicable privacy commissioner or affected users. Additionally, since most website privacy policies make some reference to the security of personal information, a failure to notify affected users (even in the absence of legislative requirements) may lead to increased exposure to private action. Voluntary notification can help mitigate your risk.
- Conduct an internal privacy audit and improve practices. Review your privacy practices and take appropriate steps to ensure that your systems are secure and do not contain other vulnerabilities. Avoid the next Heartbleed by remedying any other vulnerabilities and ensuring that the personal information in your possession or custody is protected. If you use third party service providers, ensure that any personal information in control of a third party is also protected, as most privacy statutes require you to use contractual or other means to ensure that third party service providers provide a level of personal information protection that is comparable or superior to the level required of you. Additionally, if you use open source software, ensure that your organization does not blindly rely on its security features. Make it a practice to test all open source software before release.