Last month we looked at the systemic, technological reasons why material privacy breaches are becoming a more prevalent phenomenon in Canada. The sad, but hard, fact is that it is only a matter of time before your organization is faced with a material privacy breach, whereby through theft, other wrongdoing or negligence, confidential personal information in your organization’s care or control leaks out to unauthorized persons. Which therefore brings us to the practical steps you need to consider when you are faced with such a situation.
It should be noted at the outset that the following only addresses what to consider upon a privacy breach. Of course your organization should also be actively thinking about steps to take to beef up physical and computer security to help ensure that the likelihood of a breach is diminished – or at least that the fallout from the inevitable breach is reduced.
Assembling the Response Team
As soon as management learns of the breach, the appropriate response team needs to be assembled. The team should include, at a minimum, the chief privacy officer and senior representatives from IT, security, communications, the operating division where the breach occurred, the legal department, and outside privacy law and litigation counsel.
Ideally the team isn’t meeting for the first time when the incident occurs. Rather, the team should have been assembled well before, and even had a few meetings in order to plan for just such an occurrence. This is because of the intense time pressures that accompany material privacy breaches – you need to assess the situation, and act, very quickly. It is therefore not optimal if members of the response team are meeting each other first time as the crisis is flaring up.
In terms of outside privacy law counsel, you’ll be particularly interested to have someone who’s been through these scenarios before, and who has a good working relationship with the privacy commissioner ("PC") that has jurisdiction over your organization. As for litigation expertise, material privacy breaches involving, for example, customer financial information, are generating class action lawsuits with some regularity. Therefore, you’ll need solid litigation advice from the outset in terms of the mitigation actions being contemplated by the organization, together with expertise in cross provincial class actions as typically there are consumers impacted in more than one province.
Understanding the Facts
It sounds trite, but the first step for the team is to determine what actually happened. However, information can be extremely elusive, so figuring out the precise parameters of the privacy breach can often be difficult. Simply tracking the "chain of custody" can be a challenge – who had the data when the breach occurred; how did the breach occur; how was the breach discovered; and what exactly is the data at issue? The effort to determine answers to these questions can be non-trivial.
For example, consider the scenario where a sales manager’s laptop "goes missing" on a business trip. Was it left at the last customer site; or in the cab on the way to the airport; or at the airport lounge? Was it "mislaid", or stolen? It contained large amounts of customer data. But exactly what data, and for which customers? Different data can be more or less problematic. Did it include credit card numbers, or just home addresses? Some information can facilitate full "identity theft"; other information raises the possibility of only fraudulent charges. While both are unfortunate, the later is less problematic than the former. And was the data encrypted, or just pass word protected? Interestingly, some US privacy breach notification laws create "safe harbour" regimes where encryption is used for safeguarding the data.
In many of the privacy breach cases we have been involved with, there are not crisp answers to these questions. Which is a problem, because it makes responding to the breach in a timely fashion that much more difficult.
Damage Mitigation Plan
In parallel with determining what actually happened, the team will be developing a damage mitigation plan – what concrete steps can be taken by the organization to keep the adverse fall out from the breach to a minimum. This may involve both internal measures (retrieving copies of the data, revising passwords and access protocols, recreating corrupt databases) and external ones (for example, reviewing contractual obligations where data is processed for others). Then you need to assess what degree of harm could arise if the information is abused.
In devising the damage mitigation plan, it is often the case that not all the possible action steps are fully under the control of your organization. You may have a requirement to notify insurers, in which case they may well want a say in how you proceed. If you bring in law enforcement authorities in response to a theft or other wrongdoing (such as a case of online hacking), they may well have their own investigation requirements that conflict with your own goals. For instance, in one recent major privacy breach case, the police delayed the organization from notifying the public about the breach, in order to assist the police with their investigation. This was fine for the police, but caused hardship for the company, which was later sued for (among other things) taking too long to notify its customers of the privacy breach.
To Notify or Not To Notify
A major threshold question facing the team is whether the organization should give notification of the breach, and if so, to whom and how. In some cases this decision is made easy because legislation applicable to the organization requires notification. For example, in the healthcare field in Ontario, that province’s personal health information protection law requires that the health information custodian notify the individual "at the first reasonable opportunity if the information is stolen, lost or accessed by unauthorized persons". Equally, the majority of US states now have legislation requiring mandatory notification in the event of a privacy breach.
If you are in a jurisdiction where there is no express (or implied) statutory requirement to notify a privacy breach, you may well conclude that you should notify in any event, but this should only be done after careful consideration. There are, indeed, numerous scenarios where notifying customers serves no functional purpose in terms of mitigating harm to them, and the notification would in fact only exacerbate the problem.
Often, a middle ground is to initially notify only the relevant privacy commissioner ("PC"). Interestingly, a Parliamentary Committee earlier this year considering potential changes to our federal privacy legislation, made just this recommendation; namely, that organizations be required to report certain types of breaches of their personal information holdings to the federal PC. It would then be up to the PC to decide whether or not affected individuals and others should be notified, and in what manner.
Consulting the relevant PC already goes on currently, even where there is no strict legal requirement to do so. Ontario’s PC, for example, has dealt with many such notifications. Interestingly, of 33 recent such situations, fully 13 were the result of stolen computing devices, four were caused by misdirected faxes, and fully five were the result of the data custodian merely being unable to locate or determine what happened to the information.
When the PC is notified, they usually recommend further notification of the data subjects, but not always. In some cases, surprisingly perhaps, the PC concludes that notification would actually further compromise the privacy of the data subject. In short, each fact pattern needs to be assessed on its own merits.
Getting the News Out
If you’ve decided – on your own or in conjunction with your PC – to notify customers, there are lots of ways of doing it. Personalized paper-based letters, or emails, can work well. Where current addresses are not known, use of a website can be very helpful, or a more traditional advertisement/notice can be published in a local newspaper. Some firms hire marketing companies whose staff then make live, personal calls to each customer.
With healthcare-related personal information, extreme sensitivity must be the order of the day. Often, an in-person message is delivered to the data subject by the custodian of the data, including waiting to do so until the next time the patient returns for treatment.
As for what to say in your notification, PCs tend to suggest the following: the basic facts surrounding the breach; the types of personal information involved; the measures taken to mitigate harm; advice to data subjects as to what they can do to further reduce risk of harm; and the fact that data subjects can complain to the PC.
As to when to give the notification, again a tough call has to be made. If you notify too soon, you may not have enough meaningful facts surrounding the breach (the forensic experts haven’t finished their job, etc.). On the other hand, depending on the type of data involved, a prompt notification – even if much detail remains to be learned – can assist data subjects take steps to lessen their risks. There is, therefore, no hard and fast rule as to the timing of the notification, but be prepared to go earlier if that makes sense in all the circumstances.
How notice is given and what other ancillary services are provided by the organization to data subjects (such as a means of tracking fraudulent use of personal information on behalf of specific users, and then alerting users to untoward or unusual behaviour involving their data), all speak to a key objective of your organization when dealing with the fallout from a privacy breach; that is, the key goal is to protect your organization’s reputation.
Building a good reputation in the corporate world – or in any field of endeavour – can take many painstaking years of being very careful and prudent. Then, in one fell swoop, the reputation can be tarnished by a privacy breach – and further diminished by the organization’s poor or inadequate response to the crisis. Don’t let that happen to you; be prepared.