Managing personal information is a challenge, and privacy breaches can be a major headache for an organization. There have been a number of instances recently where personal information has been lost or stolen, leading to investigations by privacy commissioners, media attention and, in some cases, class action lawsuits. While most private-sector privacy statutes in Canada are currently silent about requiring organizations to notify individuals whose data might have been the subject of a security breach, it is very likely that law-makers and regulators will raise the bar for organizations when it comes to preventing, detecting and reporting breaches involving personal information.
McCarthy Tétrault Notes:
- This article identifies policies and practices that your organization should implement now to ensure that your organization’s response to future privacy breaches is timely and strategic and discusses some practical tips for responding to privacy breaches (including deciding whether to notify customers or regulators). However, if your organization is affected by a security
- breach, you should immediately seek legal advice in order to receive appropriate guidance in light of the particular nature and circumstances of the breach.
Privacy breaches may take place in numerous ways: data may be lost, improperly disposed of or improperly disclosed by the organization itself or by a subcontractor or service provider, or data may be stolen by an employee or third party (e.g., hacking, theft or fraud). Privacy commissioners in Canada have recently provided some guidance on what steps should be considered in the event of a security breach involving personal information. The Ontario, British Columbia and Alberta privacy commissioners have each issued guidelines on this important subject, and the federal Commissioner is expected to follow suit.
Even before a privacy breach occurs, there are a number of proactive steps your organization might wish to implement. These include:
identifying the team that should be assembled when there is a breach (providing for flexibility depending on business units that are affected);
drafting a policy/checklist tailored to your organization of steps to take in the event of a breach;
- ensuring that data retention policies are being followed (since, often, privacy breaches relate to information no longer used or relevant to your organization);
- ensuring that adequate security measures (including encryption, where appropriate) are in place in accordance with your organization’s applicable security policies; and
- ensuring that front-line staff are adequately trained in respect of privacy matters, including through clear guidelines regarding how, when and where to escalate (e.g., to privacy officer, general counsel) any notification that a privacy breach has occurred
In the event a privacy breach occurs, your organization should assess the situation and implement an appropriate action plan in a timely manner. The key objectives should be to contain the breach, assess and mitigate the risk to your organization’s employees, clients and customers, develop and implement a notification strategy that is timely and comprehensive (where appropriate), and review existing policies and procedures to ensure that the breach does not happen again. This will typically involve the following steps:
- assembly of an appropriate team to investigate the breach (e.g., individuals from privacy, security, IT, communications and legal) and
- develop and implement your organization’s action plan (including an internal communications plan to communicate to employees and management);
investigation of the facts surrounding the breach, including:
- the chain of custody for the data
- the date the breach occurred
- how the breach occurred
- when the breach was discovered
- the number of individuals affected by the breach
- the nature of the information that is the subject of the breach (e.g., health information, financial information, social insurance numbers, contact information, etc.)
- whether there are any physical or technological impediments to unauthorized access to the information (e.g., password protection, encryption, etc.)
- whether the information has already been inappropriately used or disclosed, and the likelihood that it will be in the future determination of jurisdiction(s) that are affected by the breach and the law(s) that may apply;
- assessment of the risk of harm if the information is in fact inappropriately used or disclosed (e.g., physical harm, fraud, identity theft, embarrassment or inconvenience to the individuals, loss of business or employment opportunities, etc.);
- determination of appropriateness of offering credit monitoring or other services to affected individuals;
- identification of the steps that your organization should take to mitigate the effect of the breach, both internal (e.g., retrieve copies, change passwords or access rights, back-up databases) and external (e.g., notify affected individuals, law enforcement, privacy commissioners or regulatory authorities, contractual reporting obligations if the data was being processed on behalf of another organization, etc.);
- if your organization decides to notify individuals of the breach, development of a notification plan to provide such notification (e.g., direct notification of affected individuals or indirect notification through public announcements);
- identification and implementation of steps to be taken by your organization to help prevent a reoccurrence (e.g., changes to company procedures, policies and contractual templates, changes to physical or technological safeguards and employee training); and development and implementation of a communications plan to manage follow-up questions and requests from affected individuals, employees, regulators, law enforcement and the media.
A determination of whether and how to notify affected individuals is a key, and difficult, issue to address. While Ontario’s Personal Health Information Protection Act (PHIPA) requires notification if personal health information is stolen, lost or accessed by unauthorized persons, other private sector privacy statutes in Canada such as the Personal Information Protection and Electronic Documents Act (PIPEDA), BC’s Personal Information Protection Act, Alberta’s Personal Information Protection Act, and Quebec’s Act Respecting the Protection of Personal Information in the Private Sector are silent on the subject. Some commentators suggest that in certain circumstances, a duty to notify may exist as an inherent part of the general obligation in the private sector privacy statutes that organizations ensure that appropriate security safeguards have been implemented to protect personal information, and the principle that an organization is accountable for the information under its control. Others point out that, in certain circumstances, providing notification of a breach may cause more harm than help (since, for instance, it may alert a thief of the potential value of the stolen materials). In the context of the current PIPEDA five-year review process, many have urged the government to clarify the nature and scope of privacy breach notification obligations.
In the absence of an explicit statutory obligation to notify, your organization should carefully consider, with the assistance of your legal advisors, whether notification is necessary or appropriate in light of the specific facts surrounding the privacy breach. This will involve an assessment of the sensitivity of the information and the potential for its misuse, as well as whether notification will assist in mitigating harm to the affected individuals (e.g., by allowing individuals to take steps to protect themselves) or whether it may exacerbate such harm.
Should your organization elect to notify, it is important to provide notification that includes all appropriate information. Guidance from privacy commissioners suggests that you should include the following information:
- the fact that a privacy breach occurred and a description of it;
- the sort of personal information that is involved;
- the steps the organization has taken to mitigate the harm, and any likely further steps;
- the steps affected individuals can take to further mitigate the risk of harm;
- a statement that affected individuals may have a right to complain to a privacy commissioner; and
- contact information of the organization where individuals can obtain additional information or assistance.