Privacy protection has become a hot topic in recent years, due mainly to the ever-growing pervasiveness of new technologies and to the millions of individuals in North America who have found themselves victims of privacy breaches as a result.
A privacy breach may arise intentionally or inadvertently, but the effect may be equally devastating to its victims. Intentional breaches can consist of theft2 or an abuse or manipulation of the technologies that are so often used to catalogue and protect personal information.3 Hacking, which consists of breaching computer systems and electronic safeguards, is a serious problem, particularly due to the heavy reliance organizations place on computerized databases. Such intentional breaches are often vicious in nature and consist of a deliberate desire to access, collect, use or disclose an individual’s personal information with a view of causing a disturbance or perpetrating a crime.
While deliberate, bad faith activities, such as hacking and theft, are serious crimes that cause risks to individuals whose personal information has been exposed, human error or ignorance is often the most likely cause of privacy breaches. Privacy breaches based on human error or ignorance typically arise in cases of careless practices, mistaken disclosures, or operational, technical or communication breakdowns.4 The damages caused by inadvertent privacy breaches, though done without malice, can be just as serious as those breaches that occur intentionally.
Breaches of privacy laws can expose individuals to risks such as embarrassment, loss of employment opportunity, loss of business opportunity, physical risks to safety and identity theft. Financial loss and identity theft have been recognized as two of the most serious and fastest growing crimes in North America.
Whether an organization suffers an intentional or unintentional breach, and regardless of whether the disclosed personal information is used for the perpetuation of fraud or not, the organization is equally responsible for the privacy breach and for having contravened privacy legislation. It is therefore important for organizations to be aware of their responsibilities regarding the handling of personal information and their obligations under privacy laws. One of the key elements of an organization’s responsibilities include implementing practices designed to prevent breaches from occurring and enabling the organization to respond in a quick, efficient and effective manner should a breach occur.
Privacy Breaches – A Costly Affair
If bona fides isn’t reason enough to implement best practices for the prevention of privacy breaches, then the economics certainly are. Privacy breaches can impact a business’s bottom line in an exceptional and virus-like manner.
Businesses have to account for hard costs such as legislative fines and penalties, third party compensation, customer compensation, loss of profits, shareholder litigation and legal defence costs. Businesses also have to account for soft costs such as loss of goodwill, bad publicity, affected turnover and customer loyalty. While the calculation of such costs is not evident – with soft costs being so difficult to quantify and economic losses being incurred over a period of years – the effect can be staggering.
Below are several examples of some high-profile and costly privacy breaches which have occurred over the past four years:
Heartland Payment Systems (“Heartland”) – 2009. Said to be the largest data breach in history to date, Heartland’s security compromise allowed hackers to break into the payment processor’s networks and steal over 130 million credit and debit card numbers. In May 2010, Heartland’s breach expenses were estimated at $140 million, including settlement payments of nearly $60 million with Visa and $3.5 million with American Express, as well as $26 million in legal fees.5 Heartland has since come to an arrangement with MasterCard whereby Heartland agreed to pay MasterCard issuers $41.4 million to settle claims over the data breach.6 Heartland is still dealing with the aftermath of this breach, the total costs of which are as of yet uncertain.
Bank of New York Mellon (“BNY Mellon”) – 2008. The personal information of more than 12.5 million people was compromised as a result of the BNY Mellon’s loss of six to ten unencrypted tapes containing Social Security numbers, names, addresses and birth dates.7 A year later, BNY Mellon reached a settlement agreement with the Connecticut Department of Consumer Protection and the Connecticut Department of Banking, agreeing to provide an additional year of creditor monitoring to the individuals who were notified and to reimburse any individuals who had funds stolen from their accounts as a direct result of the breach. In addition, BNY Mellon agreed to pay $150,000 to the State of Connecticut General Fund.8
TJX Companies (“TJX”) – 2007. TJX suffered a considerable breach resulting in the theft of over 45 million customers’ credit and debit card numbers. The company lost $17 million and 3 cents per share by the end of its first quarter alone.9 Although original estimates placed the damages at $4.5 billion,10 the actual costs of the breach suffered by TJX are currently unknown. The company is said to have spent more than $20 million investigating the incident, notifying customers, and hiring lawyers to deal with the dozens of associated lawsuits.11 To date, TJX has entered into a number of settlement agreements, notably with MasterCard International Inc. ($24 million),12 Visa ($40.9 million),13 several banks, namely AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank ($525,000),14 41 different U.S. States for legislative breaches ($9.75 million total)15 and the individual victims of the breaches themselves (where TJX offered vouchers, cheques, reimbursement, insurance and legal fees, depending on the individual circumstances).16 While these settlement amounts are impressive and provide a hint as to the ultimate cost suffered by TJX, they do not reflect the internal costs incurred by TJX in rectifying the breach, which are likely substantial.
TD Ameritrade Holding Corp. (“TD Ameritrade”) – 2007. The names, addresses, phone numbers and “miscellaneous trading” information of more than 6 million retail and institutional customers of brokerage firm TD Ameritrade were compromised in a data breach.17 A class action lawsuit was filed against TD Ameritrade for the security breach. As of the date of writing this article, the court had just granted preliminary approval to a settlement of this case, which (1) requires payment of between $2.5 to 6.5 million to the class - each claimant is “entitled to seek cash benefits ranging from $50 to $2,500, depending ‘on the nature of the account affected by the identify theft and the type of expense and unreimbursed loss incurred . . . .’”; (2) sets a maximum of $500,000 for attorney’s fees; and (3) requires TD Ameritrade to engage a third party auditor to assess its data security practices.
Certegy Check Services (“Certegy”) – 2007. The personal information of approximately 5.9 million individuals was compromised when a Certegy employee stole customer records that revealed credit card, bank account and other personal information. Certegy recently signed a settlement agreement with the Florida Attorney General’s office, agreeing to provide either one year of free credit monitoring services or two years of bank account monitoring services to those affected. In addition, Certegy agreed to pay $850,000 to cover the state’s investigative costs and attorneys fees and to make a $125,000 contribution to Florida’s “Seniors vs. Crime” program, which provides educational, investigative and crime prevention programs for senior citizens.18
The above cases are some of the higher profile and economically significant instances of data breaches; however, these cases also demonstrate the different types of hard costs all organizations risk suffering in the wake of privacy breaches. What these numbers do not do is that they do not measure the internal costs of rectifying such breaches, nor the loss of goodwill that has undoubtedly been suffered by these organizations.
Globally, the average organizational cost of a data breach is measured at $3.4 million, while the average cost per compromised record is $142 – of which $63 pertains to indirect costs (including lost business) and $79 pertains to direct costs (including detection, escalation, notification and ex-post response). These statistics come from a recent report, sponsored by PGP Corporation, that analyzes the cost of data breaches in the United States, United Kingdom, Germany, France and Australia (all converted into U.S. dollars).19 Of these countries, the average organizational cost of a data breach was greatest in the United States, where the most expensive average data breach cost $6.75 million. Germany came in second at $3.44 million. The United Kingdom and France nearly tied for third, with average costs at $2.57 million and $2.53 million, respectively. Australia came in last with an average cost of $1.83 million.20
Best Practices to Limit Privacy Breaches
The best defence is a good offence. To limit privacy breaches, organizations need to be proactive and aggressive, and build their privacy practices on four pillars. First, management needs to understand their organization’s obligations under law and applicable standards. Privacy breaches are often defined opposite obligations under the law. As such, one of the easiest ways to avoid privacy breaches is for organizations to have a good practical understanding of their obligations under privacy laws. While this exercise may begin with an understanding of statutory and regulatory obligations, it does not end there. Organizations then need to take a look at their own privacy policies, contracts with third parties and any industry standards to which the organizations are bound or to which they have voluntarily agreed to adhere.
Second, management needs to have a good understanding of their organization’s information handling practices. This includes understanding the nature and source of personal information on intake, understanding how the organization uses, stores, transfers and discloses personal information and, of course, how understanding how the organization renders anonymous, deletes or destroys personal information for which it no longer has any reasonable use.21 Wireless and technology-based security protections are key to develop and implement, particularly in today’s digital age. Thefts or hacking may be impossible to prevent, given the technological advancements that are made every day. Nevertheless, the use of strong encryption programs, password protection and digital locks will prevent unauthorized access to data that is stored on such electronic systems. Encryption has become the standard for storing personal information and health information on portable devices22 and practising privacy breach prevention can be as simple as deleting a data cache or wiping a hard drive.23
Destruction and Disposal of Personal Information
Once an organization has done its job and rationalized the personal information that it collects, uses and/or discloses, the organization will still need to ensure the personal information it does collect, use and/or store is returned, destroyed or deleted in an appropriate manner. Adequate destruction and disposal policies are a key element in the breach prevention equation.
Disposal and destruction policies and processes need to account for both physical destruction and technological elements of a file. Paper and hard copy records that contain personal information should be shredded (ideally cross shredded), and their destruction should be systematically monitored and certified, even if it occurs off-site.25 As for electronic files, unnecessary or unused sensitive data should be wiped, rendered unreadable and/or destroyed. This is particularly true if the organization intends to dispose of or donate its old computers, such that the computers could find their way into the hands of a third party.26
Responding to Privacy Breaches
Despite implementation of best practices and preventative measures, privacy breaches do still occur. Often, weaknesses in privacy protection do not come to the attention of an organization until after a breach has occurred. While such a breach may be the result of faulty business practices or operational break-downs, the organization should take key steps to immediately rectify any damage caused. The first 72 hours of the breach are crucial to its containment and to the containment of the potential harm or damages that may be suffered by third parties. If the organization does not act immediately and aggressively seek to contain and rectify the situation, the potential damages to individuals impacted by such breach becomes difficult to manage and the organization’s ability to limit its liability as a result is severely compromised. As well, from a pure business perspective, getting out in front of a privacy breach with affected parties allows the organization to ensure it can control the message and limit the damage to its reputation.
The first elements of a privacy breach response are containment and assessment. Containment and assessment of the breach are essential to the mitigation of the organization’s potential liability and damages, as well as to the suppression of adverse consequences felt by those individuals targeted by the breach. Containment need not be complicated, but should be immediate. Without immediate containment, the organization is permitting the breach to continue to occur and can widen the liability exposure of the organization.
The organization needs to shut down the unauthorized practice, seek to recover the compromised records, if possible, and make changes to the system that was breached, such as a change to access codes or a system shutdown, so that a subsequent or ongoing breach is inhibited.27 The organization should coordinate an investigation to determine the scope of the breach and how the breach occurred. To do so, the organization should designate a responsible individual, if not a team of individuals, to administer the investigation. This investigation should commence concurrently with the shutdown process. If the breach is found to have resulted from a criminal activity, the organization should notify the police, as they too can play a crucial role in breach containment and the restoration of compromised data. Neglecting to notify police of a privacy breach caused by criminal or potentially criminal activity can compromise the ability of an organization to investigate and mitigate the breach.28
Alongside the investigation, the organization needs to consider and scope the potential damage that may be caused by the breach. This assessment requires a review of which data elements have been compromised, the sensitivity of those elements and the context in which that information might be manipulated or abused. Understanding the risks associated with the breach is a key element in focusing the breach response and in managing the risks to the individuals and the liability of the business.
After assessing the personal information involved, the cause and extent of the privacy breach, the individuals affected by the breach and any foreseeable harm from the breach, the organization should consider notifying any affected individuals, government regulators and the police. Many jurisdictions have mandatory breach notification requirements and an organization should be familiar with such requirements, as well as any obligations imposed on that organization by industry standards and/or contracts. While breach notification legislation is currently in its infancy in Canada,29 many states within the United States have established breach notification legislative provisions, many of which carry significant costs for failure to notify and for multiple violations.30
Organizations are not often willing to notify individuals affected by a privacy breach. Notification can lead to heightened consumer response, media involvement and loss of goodwill. Organizations will usually want to avoid any negative publicity or public backlash unless they are compelled by law to do so. A choice not to notify is typically premised on the belief that consumers and/or media would not otherwise find out about the breach. In this age of instant communication, premising a business strategy on a belief that word of the breach will not get out is flawed and can be quite costly. Depending on the jurisdiction where the breach occurred and the jurisdiction where damages are suffered, organizations responsible for privacy breaches can risk facing serious lawsuits and substantial monetary penalties.
While breach notification will likely affect heightened inquiries and complaints from individuals and publicity, breach notification, if handled correctly, can be beneficial to an organization. Breach notification can be an important tool in mitigating an organization’s damages and can allow the organization, and not the press or privacy commissioners, to control the message being sent to the public.
Some argue that an organization which notifies individuals impacted by a privacy breach will limit its potential damages as a result of the breach. That belief is based on the premise that notification empowers those affected individuals to take action in mitigating any harm that otherwise would have been suffered by them. In turn, this mitigation of damages mitigates the organization’s liability.
Content of Breach Notification
The content and type of breach notification is not always legislated and may vary, depending on the type of breach and the individuals affected. Notifications may be direct or indirect. Although direct communication is more personal, it addresses the specific personal information at issue for that individual, and as a result is more effective. Unfortunately, direct communication is not always practical. Content of the notification will vary, as appropriate, and may include information about the incident, details on what the organization has done and will do to control or reduce the harm, information on how individuals can protect themselves and contact information, should the individuals have any questions or concerns about the breach.31 Notification content should also be considerate of whether or not a police investigation of the breach is ongoing, as disclosure of some information may not be sensible in certain circumstances.
Canadian Privacy Laws and Breach Notification
To date, outside of Alberta and certain provincial health information legislation, Canada has not had clear breach notification requirements for businesses facing a breach of their privacy safeguards in respect of the personal information it holds. Though the Privacy Commissioners across the country had provided examples of “best practices” in such situations, the majority of businesses are not required by law to disclose a privacy breach.
Organizations in Alberta, to the extent subject to Personal Information Protection Act (Alberta), must provide notice to Alberta’s privacy commissioner, without unreasonable delay, of an incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.32 In addition, Alberta’s privacy commissioner may require organizations to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure.33
Amendments have also been proposed to the Personal Information Protection and Electronic Documents Act (“PIPEDA”), as set forth in Bill C-29.
Should Bill C-29 become law, PIPEDA would impose two separate levels of breach notification, one in respect of notifying the Privacy Commissioner of Canada, and another in respect of notifying individuals whose personal information has been compromised by the breach. As a result of section 10.1 of the proposed Bill C-29, a company would be required to disclose a breach of privacy laws to the Privacy Commissioner of Canada where there has been a “material breach of security safeguards under its control.” Whether a breach will be considered “material” must be determined by the company through examining several factors, including the sensitivity of the information implicated in the breach, the number of individuals affected, and whether the breach represents a systematic failure to safeguard personal information by the organization.
Under section 10.2 of the proposed Bill C-29, an organization would have to inform an individual of a breach of the privacy safeguards implemented by it where there is a reasonable chance the breach “creates a real risk of significant harm to the individual.” The provision sets forth a broad spectrum for the kind of harm that an individual could experience as a result of the breach, including but not limited to humiliation and financial loss, and provides several factors to consider in evaluating the harmful nature of the breach to the individual. The breach will more likely be considered harmful to the individual if it is personal information that is sensitive and likely to be misused.
Once an organization finishes managing the immediate consequences of the breach, it should take the information learned from the breach investigation and re-evaluate its policies and safeguards. It is not sufficient for an organization to mitigate breach consequences. Organizations must implement preventative practices, such as those noted above, to prevent future occurrences of privacy breaches.34 In developing or updating its practices, an organization may wish to consider conducting a security audit of both physical and technical information handling practices; a review of policies and procedures; a review of employee training practices; and a review of partners, including consultants and other service providers.35
The resources expended by organizations in implementing best practices for the prevention of privacy breaches pales in comparison to the above statistics. One rising consideration in risk management is the purchase of privacy liability insurance. Policies may cover damages that arise out of unauthorized access to, collection of, and use or disclosure of personal information that results in harm to employees or third parties; defence expenses as a result of regulatory or criminal investigations; crisis management and notification expenses; and/or network security liability.36 While insurance policies may be costly, organizations may wish to pursue them as a protective measure against the otherwise exorbitant costs entailed in managing and mitigating a privacy breach.
While privacy protection may not always be seen as a main priority, it is indisputable that the effects of a privacy breach can be devastating, both to the affected individuals as well as to the organizations involved. Privacy breaches not only undermine the affected individuals’ confidence in the organization responsible for the breach, but also risk adversely influencing consumers’ confidence in commercial markets, generally. Privacy breaches risk discouraging consumerism and making individuals increasingly wary of where and how they transact. Recent years have seen an increase in organizational dependence on amassing and analyzing significant amounts of personal information, globally, through electronic databases.
The increasing scope and reach of global privacy breaches will have considerable long-term effects on consumers’ confidence in electronic commerce and, consequently, on the global economy in general.