One of the most high profile business, security and legal issues to confront consumers, private industry, and government leaders in the last few years has been concerns related to breaches of personal information especially sensitive financial or health information. There have been a series of recent high profile data breaches affecting individuals around the world. The massive breach at the TJX group of companies serves as only one recent example of the risk that consumers may confront and the cost to the affected institution. It is reported that the TJX breach could cost approximately 1 billion dollars over 5 years. 2
The September 2007 issue of Harvard Business Review contains a case study by Eric McNulty, titled "Boss, I Think Someone Stole Our Customer Data."3 The fictional article tells the tale of a data breach at Flayton Electronics. As the case unfolds, McNulty reveals the challenges and dilemmas facing Flayton's management as they move from the initial discovery of the breach through the difficult decisions they must make along the way to resolving the problem. A patchwork of State laws, media leaks and really bad advice - "Your communication strategy should be not to talk to anyone," are just some of the trials they encounter. The article ends with the CEO's resolute commitment: "We're going to decide what to do. Today."
Unfortunately, data breaches are more fact than fiction. The United States has produced a patchwork of legislative responses dealing with data breach notification. In Canada, data breaches have made their way onto the agendas of government leaders as a key area of concern. Recently, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (the "Committee") conducted the first mandated five-year review of the Personal Information and Protection and Electronic Documents Act ("PIPEDA"). One of the key issues raised was the appropriate response of private sector organizations to breaches in privacy.
On August 1, 2007, The Office of the Privacy Commissioner of Canada ("OPC") introduced voluntary guidelines (the "Guidelines") to assist organizations in responding to privacy breaches.4 The OPC developed the Guidelines working closely with input from representatives of private sector organizations, civil society organizations and Provincial Privacy Commissioner Offices.5
Canada's new Guidelines have received some international recognition. The Privacy Commissioner of New Zealand wasted no time in adopting them in August 2007 "without substantive change". The speed of adoption emphasizes not only to the urgency and universality of the data breach problem, but to the common sense and comprehensive approach to notification espoused by the Guidelines.
The OPC Guidelines are a useful starting point to help organizations develop and implement plans and strategies to prevent and respond to breaches in privacy. The Guidelines help organizations to identify the events that constitute privacy breaches by defining the term. The Guidelines then outline the key steps that organizations should take towards containment, risk assessment, notification and prevention. A summary of the Guidelines is provided below:
What is a Privacy Breach?
A privacy breach occurs when there is unauthorized access to personal information or unauthorized collection, use, or disclosure of personal information. An activity is "unauthorized" if it occurs in contravention of applicable privacy legislation. Privacy breaches most commonly occur where personal information is lost, stolen, mistakenly disclosed, or as the consequence of faulty business procedure or operational breakdown.
Preventative measures should be adopted by organizations, including implementing policies, procedural safeguards and necessary training. Privacy breaches must be assessed on a case-by case basis. However, the OPC has recommended four key steps for any organization to consider in responding to a privacy breach:
Breach Containment and Preliminary Assessment
An attempt should be made to immediately contain a privacy breach. A team should be assembled to assess the situation, make recommendations and determine the parties that must be notified of the breach. It is also critical to determine whether there has been any criminal activity involved in the breach and whether the evidence has been preserved.
Evaluation of the Risks Associated with the Breach
Following the response and preliminary assessment, an in-depth evaluation of the breach should occur to assess the risks associated with the breach. The evaluation should focus on the type of information released and whether it included personal information, the cause and extent of the breach, the individuals affected by the breach, and the foreseeable harm from the breach.
Notification is important as a mitigation tool. If a privacy breach creates a risk of harm, the individuals affected should be notified. Each incident needs to be considered on a case-by-case basis. Organizations must consider whether to notify individuals, when, how and who to notify, what should be included in the notification and whether any others need to be notified of the breach (e.g. privacy commissioners, police and others).
Prevention of Future Breaches
Once the immediate steps are taken to mitigate the risks associated with the breach, the organization must assess how the information was released and what security measures should be taken to prevent future breaches. A prevention plan should be adopted by the organization as a first step toward prevention. An organization can then determine such other long-term steps, such as staff training, that will assist in preventing future breaches.