Background

Vast amounts of personal information are shared, provided, collected, massaged and used every day. This information can be stored or held in servers, desktop computers, laptops, computer discs, floppy discs, external hard drives, flash keys and even iPods. All this information should be collected and stored in a safe manner, with the level of safeguarding depending on the sensitivity of the information. However, we know from accounts in the media that personal information does get lost or stolen. In some instances of theft, the intent may simply be to steal a computer without interest in the information stored.

However, more recently the theft of storage devices has become of great interest to certain criminal elements because of the information on the computers rather than the computers (or storage devices) themselves.

The U. S. position

One of the very first high profile instances of criminals gaining access to personal information for nefarious purposes involved ChoicePoint, a data aggregator that collects and sells personal information. When it learned that a privacy breach had occurred, it sent letters to residents of California advising them of the breach. Because California was the only state, at the time, that required breach notification, ChoicePoint decided not to trouble residents in other states or countries by informing them of the breach. This failure to notify residents in other states did not sit well with various Attorneys General who reacted by passing legislation requiring organizations to provide notice in the event of any privacy breach. At the present time 39 states (along with the District of Columbia and Puerto Rico) have enacted some form of breach notification legislation, the most recent being Massachusetts.

Minnesota has responded to the recent TJX data breach by enacting amendments to its breach notification law which added security and liability provisions to the legislation relating to credit, debit and similar cards issued by financial institutions. The security requirements prohibit organizations which conduct business in Minnesota from retaining certain specified card data at all or beyond a short period of time following the authorization of a transaction. Four other U.S. state legislatures are considering similar legislation to supplement their breach notification legislation.

The Canadian situation

In Canada, there are federal and provincial laws that govern how organizations must deal with and protect the personal information of individuals. The federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), applies across Canada to commercial organizations. In those provinces which have enacted substantially similar legislation (British Columbia, Alberta, Quebec and Ontario – the latter only with respect to personal health information), the provincial legislation applies (although the federal legislation continues to apply in these provinces to federally regulated undertakings and in certain other limited circumstances).

However, there are no breach notification requirements in the Canadian legislation that are similar to those found in the United States, except for the provision in Ontario’s Personal Health Information Protection Act in s. 12(2) relating to personal health information held by a health information custodian. This has been perceived to be a gap in the protection afforded to individuals and their personal information in Canada. Despite the lack of breach notification legislation, the federal privacy commissioner, in consultation with her provincial counterparts, has developed a set of breach notification guidelines to be considered and utilized by organizations where a breach or potential breach has been identified. These guidelines were developed following consultation with certain stakeholder organizations that provided their comments and views on the competing or contrary interests that came to the fore as the discussions and debates ensued.

Key Steps for Organizations in Responding to Privacy Breaches was issued by the Office of the Privacy Commissioner of Canada on Aug. 3, 2007. The commissioner also issued a Privacy Breach Checklist to assist organizations that encounter the problem of a breach.

Description of privacy breach

The guidelines describe a privacy breach as an unauthorized access to or collection, use or disclosure of personal information. A breach can occur when information (or storage devices on which personal information is stored) is stolen or when personal information is transmitted to the wrong person(s). A privacy breach can also result from a faulty business procedure or an operational break-down.

Key steps in responding to a breach

The guidelines identify four key steps to consider when responding to a suspected or actual breach:

i) breach containment and preliminary assessment;

ii) evaluation of risks associated with the breach;

iii) notification of affected parties;

iv) prevention of a recurrence.

The guidelines contemplate the execution of steps (i), (ii) and (iii) concurrently. Step (iv) relates to longer term planning and development of practices and procedures that will eliminate the likelihood of another breach.

Organizations are encouraged, however, to deal with and respond to privacy breaches on a case-by-case basis.

The guidelines urge organizations to use common sense when responding to a breach or possible breach. The specific steps referred to in the guidelines under items (i) and (ii) speak to and reflect such common sense steps as putting a stop to the breach by changing practices or recovering the records, and appointing someone with sufficient authority to conduct an investigation.

The records that have been lost, stolen or misdirected should be evaluated to the extent possible, in order to determine the level of sensitivity of the personal information they contain. This evaluation helps to inform the decision about whether and how notification should be given to the individuals involved. As the guidelines note, if the records lost are the subscription list of a newspaper carrier, they may not be very sensitive. However, if it is a laptop containing payroll information that is lost, this information is likely very sensitive. In evaluating the risk, it is essential for an organization to consider the appropriate level of protection in place with respect to that information.

The guidelines also counsel organizations to consider the extent of the breach, in terms of the number of persons affected and who there were as part of the risk analysis – i.e., were the persons affected employees, customers or service providers.

An essential aspect of the risk analysis step is trying to determine whether any harm will result from the breach. This aspect has to consider the issue from a number of points of view: the individuals whose information has been disclosed, the identity of the possible recipient of the information, and whether there is any sort of relationship between the recipient and the individuals whose data was disclosed.

The risk analysis must also consider whether there is any risk of harm to the individual, whether it be physical, financial harm or harm to the individual’s reputation. The analysis has to consider, as well, whether the organization will suffer harm from the breach including loss of trust, assets or risk of financial loss or possible legal proceedings against it.

Following the identification and analysis of any suspected breach, an organization is faced with the challenge of what to do about the breach. The guidelines do not specifically advocate a wholesale notification practice. As noted, the guidelines recommend approaching these problems on a case-by-case basis. Depending on the nature of the information and who might have received it, breach notification may be necessary. The guidelines indicate that, “if a privacy breach creates a risk of harm to the individual, those affected should be notified.”

If the assessment has indicated that there is a risk of harm to individuals and notification should be given, the guidelines recommend that such notification be given promptly in order to assist the affected individuals to take the necessary steps to protect themselves.

However, as noted above, the guidelines do not advocate notification in every case. They state that “the key consideration in deciding whether to notify affected individuals should be whether notification is necessary in order to avoid or mitigate harm to an individual whose personal information has been inappropriately accessed, collected, used or disclosed.”

Once the organization has determined that notification of individuals is appropriate, it has to consider how to provide this notification. Generally, notification should be given directly to the affected individuals by letter, phone, e-mail or in person, depending on the particular facts of the case. There will be situations where notification by way of direct contact is not practical. In those circumstances, indirect contact through media, websites or posted notices may by the most appropriate.

Where the circumstances of a particular breach indicate that criminal activity may be involved and the police have been notified, the police ought to be involved and consulted prior to providing any notification of the breach. The guidelines also encourage organizations to contact the appropriate privacy commissioner about any real or suspected privacy breach in order to obtain the assistance and guidance of the commissioner in dealing with the matter.

Because there is so much personal information being collected and retained by organizations these days through the wonders of technology, serious and reflective account must be taken by them on an on-going basis to determine what information has been collected and why and how long it should be kept. In the case of sensitive information, the reflection and assessment should include considerations of how the information is protected. Passwords on laptops are no longer reliable protection for the information stored on the hard drive. Failure to continually monitor practices and procedures with respect to protecting personal information will leave organizations open to breaches because of faulty or out-dated practices or protective measures. If a data breach occurs, the cost to the organization in terms of reputation, loss of customers and revenue, and potential legal proceedings will likely far outweigh the cost of vigilance with respect to the personal information which is collected and retained.

The guidelines are a very useful tool with which all organizations should familiarize themselves. These guidelines should be consulted in dealing a privacy breach, should one occur, and they should be readily at hand for every privacy officer if the call ever comes that a privacy breach has occurred.

Originally Published in Privacy Pages, CBA National Privacy and Access Law Section newsletter, January 2008