With advances in technology, organizations are collecting, storing and transferring more personal information about their consumers than they have in the past. The vast amount of information collected enables an organization to better target and increase the effectiveness of their marketing campaigns and better manage the organization’s interaction with the customer, creating a better experience. However, the accumulation of personal information increases the risks and impact of unauthorized access to the information, whether through security or data breaches.

On May 1, 2010, amendments were made to the Alberta Personal Information Protection Act3 (“PIPA”) and Alberta became the first Canadian jurisdiction to require mandatory security breach notification in the private sector. In two recent decisions released on May 11, 2011, the Alberta Privacy Commissioner (“Commissioner”) invoked the breach notification provisions4 and considered whether Best Buy Canada Ltd.5 (“Best Buy”) and Air Miles Reward Program6 (“Air Miles”) were required to provide notification to individual potentially affected by data breach.

What Happened?

Both Best Buy and Air Miles had contracted with Epsilon, a U.S. email marketing company, to send email marketing notifications to their customers and manage their reward and loyalty program. Epsilon suffered a major data breach March 30, 2011, which compromised the email addresses of 50 million or more customers. Best Buy and Air Miles were notified by Epsilon of the breach on March 31, 2011 and April 3, 2011, respectively. In compliance with PIPA, both Best Buy and Air Miles reported this breach to the Commissioner.7

PIPA provides that where an organization, such as Best Buy or Air Miles, engages the services of a foreign third party organization like Epsilon, that organization is responsible for such third party’s compliance.8 This means that even though it was Epsilon who suffered a data breach and not Best Buy or Air Miles, Best Buy and Air Miles could be liable for the breach and must ensure that they meet the breach notification requirements.

The Decision

In reviewing the breach and determining whether Best Buy and Air Miles were required to notify potentially affected individuals, the Commissioner had to consider whether there was a “real risk of significant harm” resulting from the breach.  These factors include:

“the magnitude of the breach, that is the number of affected individuals, the maliciousness of the breach including whether there are indications personal information was misappropriated for nefarious purposes, the sensitivity of the information and the harm that may result”9

The Commissioner reasoned that although the information affected (i.e. name, email addresses and organization membership) was relatively minor compared to other data breaches that involve unauthorized access of financial or other sensitive information, the sheer magnitude of the breach and the evidence that the information will likely be used for malicious purposes, such as spear phishing (as described below), indicated that there was a real risk of significant harm to affected individuals. The Commissioner described spear phishing as follows:

a targeted form of phishing where some information is already known about the target and this may improve the chance of success from a phishing attempt. In this case, affected individuals are likely to receive an email from criminals which has the appearance of originating from Best Buy which could invite the individual to open an attachment with malware or update a “profile” which would provide additional personal information to those with nefarious intentions.10

Based on the facts, the Commissioner concluded that there was a possibility of “significant harm”. The Commissioner then turned to whether there was a “real risk” and noted: (1) the magnitude of the Epsilon breach and the number of affected Best Buy and Air Miles Customers; and (2) the sophistication of the attack and the belief that Epsilon was targeted for nefarious purposes. The Commissioner further stated:

…even if there is only a one in a million chance that a Best Buy customer will be misled by a spear phishing email, either by providing personal information or intentionally or accidentally clicking an attachment that will install malware, with those rare odds, at least two affected individuals in Canada would actually be affected as a result of the breach…11

The Commissioner ultimately found that there was a “real risk” and required Best Buy and Air Miles to notify the affected individuals, which Best Buy and Air Miles did even before the breach notification decision was made.

Tips for Businesses

In response to the ever serious issues of data breach, organizations should consider implementing the following steps to protect data containing personal information:

  1. Develop a data breach protocol and ensure that it is updated periodically to reflect modern technologies and circumstances;
  2. Incorporate in the organization’s data breach protocol a step that requires a report to the Privacy Commissioner of any serious data breach;
  3. Ensure that all third party service contracts explicitly require the third party contractor to immediately inform the organization of any possible or suspected breach;
  4. Revise the organization’s record retention and destruction policies and procedures, so that personal information is destroyed or "anonymized" once it is no longer required in compliance with existing privacy law requirements; and
  5. Ensure all employees of the corporation are aware of, and in compliance with, the organization’s policies and practices relating to third party personal information.

In developing a set of policies and accompanying procedures, organizations should take the following four steps into account:

  1. Develop a comprehensive security program to protect the confidentiality, integrity and availability of all information, not just personal information.
  2. Develop data classification standards that identify personal information.
  3. Conduct a risk assessment of all personal information to ensure that proper security controls (i.e. authentication and encryption) are in place to protect these information assets; and
  4. Develop a policy for handling security breaches that addresses the compromise of personal information.