Canada: Privacy Breaches - Impact, Notification And Strategic Plans*

Last Updated: April 20 2011
Article by Paige Backman

Context

Privacy protection has become a hot topic in recent years, due mainly to the ever-growing pervasiveness of new technologies and to the millions of individuals in North America who have found themselves victims of privacy breaches as a result.

A privacy breach occurs when an individual's personal information is accessed, collected, used or disclosed in contravention of applicable privacy legislation or privacy policy. "Personal information," which is defined differently in different statutes, is the cornerstone to most privacy laws. Personal information usually refers to information that is about an identifiable individual. Some of the more obvious examples of personal information include information pertaining to an individual's home address, nationality or ethnic origin, colour, religion, age or marital status; education, health, employment or criminal history; personal identification numbers, such as those listed on a driver's license or a bank account number; biometric particulars, such as fingerprints or blood type; and sexual preference or political affiliation.

A privacy breach may arise intentionally or inadvertently, but the effect may be equally devastating on its victims. Intentional breaches can consist of theft1 or an abuse or manipulation of the technologies that are so often used to catalogue and protect personal information.2 Hacking, which consists of breaching computer systems and electronic safeguards, is a serious problem, particularly due to the heavy reliance organizations place on computerized databases. Such intentional breaches are often vicious in nature and consist of a deliberate desire to access, collect, use or disclose an individual's personal information with a view of causing a disturbance or perpetrating a crime.

While deliberate, bad faith activities, such as hacking and theft, are serious crimes that cause risks to individuals whose personal information has been exposed, human error or ignorance is often the most likely cause of privacy breaches. Privacy breaches based on human error or ignorance typically arise in cases of careless practices, mistaken disclosures, or operational, technical or communication breakdowns.3 The damages caused by inadvertent privacy breaches, though done without malice, can be just as serious as those breaches that occur intentionally.

Breaches of privacy laws can expose individuals to risks such as embarrassment, loss of employment opportunity, loss of business opportunity, physical risks to safety and identity theft. Financial loss and identity theft have been recognized as two of the most serious and fastest growing crimes in North America.

Whether an organization suffers an intentional or unintentional breach, and regardless of whether the disclosed personal information is used for the perpetuation of fraud or not, the organization is equally responsible for the privacy breach and for having contravened privacy legislation. It is therefore important for organizations to be aware of their responsibilities regarding the handling of personal information and their obligations under privacy laws. One of the key elements of an organization's responsibilities include implementing practices designed to prevent breaches from occurring and enabling the organization to respond in a quick, efficient and effective manner should a breach occur.

Privacy Breaches – A Costly Affair

If bona fides isn't reason enough to implement best practices for the prevention of privacy breaches, then the economics certainly are. Privacy breaches can impact a business's bottom line in an exceptional and virus-like manner.

Businesses have to account for hard costs such as legislative fines and penalties, third party compensation, customer compensation, loss of profits, shareholder litigation and legal defence costs. Business also have to account for soft costs such as loss of goodwill, bad publicity, affected turnover and customer loyalty. While the calculation of such costs is not evident – with soft costs being so difficult to quantify and economic losses being incurred over a period of years – the effect can be staggering.

Below are several examples of some high-profile and costly privacy breaches which have occurred over the past four years:

Heartland Payment Systems ("Heartland") – 2009. Said to be the largest data breach in history to date, Heartland's security compromise allowed hackers to break into the payment processor's networks and steal over 130 million credit and debit card numbers. In May 2010, Heartland's breach expenses were estimated at $140 million, including settlement payments of nearly $60 million with Visa and $3.5 million with American Express, as well as $26 million in legal fees.4 Heartland has since come to an arrangement with MasterCard whereby Heartland agreed to pay MasterCard issuers $41.4 million to settle claims over the data breach.5 Heartland is still dealing with the aftermath of this breach, the total costs of which are as of yet uncertain.

Bank of New York Mellon ("BNY Mellon") – 2008. The personal information of more than 12.5 million people was compromised as a result of the BNY Mellon's loss of six to ten unencrypted tapes containing Social Security numbers, names, addresses and birth dates.6 A year later, BNY Mellon reached a settlement agreement with the Connecticut Department of Consumer Protection and the Connecticut Department of Banking, agreeing to provide an additional year of creditor monitoring to the individuals who were notified and to reimburse any individuals who had had funds stolen from their accounts as a direct result of the breach. In addition, BNY Mellon agreed to pay $150,000 to the State of Connecticut General fund.7

TJX Companies ("TJX") – 2007. TJX suffered a considerable breach resulting in the theft of over 45 million customers' credit and debit card numbers. The company lost $17 million and 3 cents per share by the end of its first quarter alone.8 Although original estimates placed the damages at $4.5 billion,9 the actual costs of the breach suffered by TJX are currently unknown. The company is said to have spent more than $20 million investigating the incident, notifying customers and hiring lawyers to deal with the dozens of associated lawsuits.10 To date, TJX has entered into a number of settlement agreements, notably with MasterCard International Inc. ($24 million),11 Visa ($40.9 million),12 several banks, namely AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank ($525,000),13 41 different U.S. States for legislative breaches ($9.75 million total)14 and the individual victims of the breaches themselves (where TJX offered vouchers, cheques, reimbursement, insurance and legal fees, depending on the individual circumstances).15 While these settlement amounts are impressive and provide a hint as to the ultimate cost suffered by TJX, they do not reflect the internal costs incurred by TJX in rectifying the breach, which are likely substantial.

TD Ameritrade Holding Corp. ("TD Ameritrade") – 2007. The names, addresses, phone numbers and "miscellaneous trading" information of more than 6 million retail and institutional customers of brokerage firm TD Ameritrade were compromised in a data breach.16 A class action lawsuit was filed against TD Ameritrade for the security breach. As of the date of writing this article, the court had just granted preliminary approval to a settlement of this case, which (1) requires payment of between $2.5 to 6.5 million to the class - each claimant is "entitled to seek cash benefits ranging from $50 to $2,500, depending 'on the nature of the account affected by the identify theft and the type of expense and unreimbursed loss incurred . . . .'"; (2) sets a maximum of $500,000 for attorney's fees; and (3) requires TD Ameritrade to engage a third party auditor to assess its data security practices.

Certegy Check Services ("Certegy") – 2007. The personal information of approximately 5.9 million individuals was compromised when a Certegy employee stole customer records that revealed credit card, bank account and other personal information. Certegy recently signed a settlement agreement with the Florida Attorney General's office, agreeing to provide either one year of free credit monitoring services or two years of bank account monitoring services to those affected. In addition, Certegy agreed to pay $850,000 to cover the state's investigative costs and attorneys fees and to make a $125,000 contribution to Florida's "Seniors vs. Crime" program, which provides educational, investigative and crime prevention programs for senior citizens.17

The above cases are some of the higher profile and economically significant instances of data breaches; however, these cases also demonstrate the different types of hard costs all organizations risk suffering in the wake of privacy breaches. What these numbers do not do is that they do not measure the internal costs of rectifying such breaches, nor the loss of goodwill that has undoubtedly been suffered by these organizations.

Globally, the average organizational cost of a data breach is measured at $3.4 million, while the average cost per compromised record is $142 – of which $63 pertains to indirect costs (including lost business) and $79 pertains to direct costs (including detection, escalation, notification and ex-post response). These statistics come from a recent report, sponsored by PGP Corporation, that analyzes the cost of data breaches in the United States, United Kingdom, Germany, France and Australia (all converted into U.S. dollars).18 Of these countries, the average organizational cost of a data breach was greatest in the United States, where the most expensive average data breach cost $6.75 million. Germany came in second at $3.44 million. The United Kingdom and France nearly tied for third, with average costs at $2.57 million and $2.53 million, respectively. Australia came in last with an average cost of $1.83 million.19

Best Practices to Limit Privacy Breaches

The best defence is a good offence. To limit privacy breaches, organizations need to be proactive and aggressive, and build their privacy practices on four pillars. First, management needs to understand their organization's obligations under law and applicable standards. Privacy breaches are often defined opposite obligations under the law. As such, one of the easiest ways to avoid privacy breaches is for organizations to have a good practical understanding of their obligations under privacy laws. While this exercise may begin with an understanding of statutory and regulatory obligations, it does not end there. Organizations then need to take a look at their own privacy policies, contracts with third parties and any industry standards to which the organizations are bound or to which they have voluntarily agreed to adhere.

Second, management needs to have a good understanding of their organization's information handling practices. This includes understanding the nature and source of personal information on intake, understanding how the organization uses, stores, transfers and discloses personal information and, of course, how understanding how the organization renders anonymous, deletes or destroys personal information for which it no longer has any reasonable use.20 Wireless and technology-based security protections are key to develop and implement, particularly in today's digital age. Thefts or hacking may be impossible to prevent, given the technological advancements that are made every day. Nevertheless, the use of strong encryption programs, password protection and digital locks will prevent unauthorized access to data that is stored on such electronic systems. Encryption has become the standard for storing personal information and health information on portable devices21 and practicing privacy breach prevention can be as simple as deleting a data cache or wiping a hard drive.22

Third, management needs to ensure their organization has a privacy policy (for internal and external distribution) that reflects the organization's personal information handling practices and, of course, compliance with laws and applicable standards.23

Fourth, once a privacy policy is developed, management needs to implement the provisions of such policy. A key element of such implementation involves management ensuring its employees, officers, directors, consultants and third parties with whom such organizations do business, understand and comply with the organization's privacy policies. If employees, officers and directors are not properly educated, both with regard to obligations at law and the organization's particular privacy policies, privacy breaches are virtually impossible to prevent. Once an organization ensures that its own personnel understands their obligations, the organization needs to ensure that each third party to whom such organization has disclosed, transferred or otherwise granted access to personal information is also aware of and complies with the organization's privacy policies. Compliance obligations with third parties should be set out in written contractual terms to establish agreed on standards and avoid misunderstanding. Contractual terms should address security obligations, restrictions on use and disclosure of the personal information, breach notification obligations as well as obligations to assist in investigating allegations of privacy breaches and/or responding to inquiries and claims from individuals and government officials. To ensure such third party's compliance with its obligations, the contract should include an audit right in favour of the organization relating to the third party's practices.

Destruction and Disposal of Personal Information

Once an organization has done its job and rationalized the personal information that it collects, uses and/or discloses, the organization will still need to ensure the personal information it does collect, use and/or store is returned, destroyed or deleted in an appropriate manner. Adequate destruction and disposal policies are a key element in the breach prevention equation.

Disposal and destruction policies and processes need to account for both physical destruction and technological elements of a file. Paper and hard copy records that contain personal information should be shredded (ideally cross shredded), and their destruction should be systematically monitored and certified, even if it occurs off-site.24 As for electronic files, unnecessary or unused sensitive data should be wiped, rendered unreadable and/or destroyed. This is particularly true if the organization intends to dispose of or donate its old computers, such that the computers could find their way into the hands of a third party.25

Responding to Privacy Breaches

Despite implementation of best practices and preventative measures, privacy breaches do still occur. Often, weaknesses in privacy protection do not come to the attention of an organization until after a breach has occurred. While such a breach may be the result of faulty business practices or operational break-downs, the organization should take key steps to immediately rectify any damage caused. The first 72 hours of the breach are crucial to its containment and to the containment of the potential harm or damages that may be suffered by third parties. If the organization does not act immediately and aggressively seek to contain and rectify the situation, the potential damages to individuals impacted by such breach becomes difficult to manage and the organization's ability to limit its liability as a result is severely compromised. As well, from a pure business perspective, getting out in front of a privacy breach with affected parties allows the organization to ensure it can control the message and limit the damage to its reputation.

The first elements of a privacy breach response are containment and assessment. Containment and assessment of the breach are essential to the mitigation of the organization's potential liability and damages, as well as to the suppression of adverse consequences felt by those individuals targeted by the breach. Containment need not be complicated, but should be immediate. Without immediate containment, the organization is permitting the breach to continue to occur and can widen the liability exposure of the organization. The organization needs to shut down the unauthorized practice, seek to recover the compromised records, if possible, and make changes to the system that was breached, such as a change to access codes or a system shutdown, so that a subsequent or ongoing breach is inhibited.26

The organization should coordinate an investigation to determine the scope of the breach and how the breach occurred. To do so, the organization should designate a responsible individual, if not a team of individuals, to administer the investigation. This investigation should commence concurrently with the shutdown process. If the breach is found to have resulted from a criminal activity, the organization should notify the police, as they too can play a crucial role in breach containment and the restoration of compromised data. Neglecting to notify police of a privacy breach caused by criminal or potentially criminal activity can compromise the ability of an organization to investigate and mitigate the breach.27

Alongside the investigation, the organization needs to consider and scope the potential damage that may be caused by the breach. This assessment requires a review of which data elements have been compromised, the sensitivity of those elements and the context in which that information might be manipulated or abused. Understanding the risks associated with the breach is a key element in focusing the breach response and in managing the risks to the individuals and the liability of the business.

Breach Notification

After assessing the personal information involved, the cause and extent of the privacy breach, the individuals affected by the breach and any foreseeable harm from the breach, the organization should consider notifying any affected individuals, government regulators and the police. Many jurisdictions have mandatory breach notification requirements and an organization should be familiar with such requirements, as well as any obligations imposed on that organization by industry standards and/or contracts. While breach notification legislation is currently in its infancy in Canada,28 many states within the United States have established breach notification legislative provisions, many of which carry significant costs for failure to notify and for multiple violations.29

Organizations are not often willing to notify individuals affected by a privacy breach. Notification can lead to heightened consumer response, media involvement and loss of goodwill. Organizations will usually want to avoid any negative publicity or public backlash unless they are compelled by law to do so. A choice not to notify is typically premised on the belief that consumers and/or media would not otherwise find out about the breach. In this age of instant communication, premising a business strategy on a belief that word of the breach will not get out is flawed and can be quite costly. Depending on the jurisdiction where the breach occurred and the jurisdiction where damages are suffered, organizations responsible for privacy breaches can risk facing serious lawsuits and substantial monetary penalties.

While breach notification will likely affect heightened inquiries and complaints from individuals and publicity, breach notification, if handled correctly, can be beneficial to an organization. Breach notification can be an important tool in mitigating an organization's damages and can allow the organization, and not the press or privacy commissioners, to control the message being sent to the public.

Some argue that an organization which notifies individuals impacted by a privacy breach will limit its potential damages as a result of the breach. That belief is based on the premise that notification empowers those effected individuals to take action in mitigating any harm that otherwise would have been suffered by them. In turn, this mitigation of damages mitigates the organization's liability.

Content of Breach Notification

The content and type of breach notification is not always legislated and may vary, depending on the type of breach and the individuals affected. Notifications may be direct or indirect. Although direct communication is more personal, it addresses the specific personal information at issue for that individual, and as a result is more effective. Unfortunately, direct communication is not always practical. Content of the notification will vary, as appropriate, and may include information about the incident, details on what the organization has done and will do to control or reduce the harm, information on how individuals can protect themselves and contact information, should the individuals have any questions or concerns about the breach.30 Notification content should also be considerate of whether or not a police investigation of the breach is ongoing, as disclosure of some information may not be sensible in certain circumstances.

Canadian Privacy Laws and Breach Notification

To date, outside of Alberta and certain provincial health information legislation, Canada has not had clear breach notification requirements for businesses facing a breach of their privacy safeguards in respect of the personal information it holds. Though the Privacy Commissioners across the country had provided examples of "best practices" in such situations, the majority of businesses are not required by law to disclose a privacy breach.

Organizations in Alberta, to the extent subject to Personal Information Protection Act (Alberta), must provide notice to Alberta's privacy commissioner, without unreasonable delay, of an incident involving the loss of or unauthorized access to or disclosure of the personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.31 In addition, Alberta's privacy commissioner may require organizations to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure.32

Amendments have also been proposed to the Personal Information Protection and Electronic Documents Act ("PIPEDA"), as set forth in Bill C-29.

Should Bill C-29 become law, PIPEDA would impose two separate levels of breach notification, one in respect of notifying the Privacy Commissioner of Canada, and another in respect of notifying individuals whose personal information has been compromised by the breach. As a result of section 10.1 of the proposed Bill C-29, a company would be required to disclose a breach of privacy laws to the Privacy Commissioner of Canada where there has been a "material breach of security safeguards under its control." Whether a breach will be considered "material" must be determined by the company through examining several factors, including the sensitivity of the information implicated in the breach, the number of individuals affected, and whether the breach represents a systematic failure to safeguard personal information by the organization.

Under section 10.2 of the proposed Bill C-29, an organization would have to inform an individual of a breach of the privacy safeguards implemented by it where there is a reasonable chance the breach "creates a real risk of significant harm to the individual." The provision sets forth a broad spectrum for the kind of harm that an individual could experience as a result of the breach, including but not limited to humiliation and financial loss, and provides several factors to consider in evaluating the harmful nature of the breach to the individual. The breach will more likely be considered harmful to the individual if it is personal information that is sensitive and likely to be misused.

Post-Breach Management

Once an organization finishes managing the immediate consequences of the breach, it should take the information learned from the breach investigation and re-evaluate its policies and safeguards. It is not sufficient for an organization to mitigate breach consequences. Organizations must implement preventative practices, such as those noted above, to prevent future occurrences of privacy breaches.33 In developing or updating its practices, an organization may wish to consider conducting a security audit of both physical and technical information handling practices; a review of policies and procedures; a review of employee training practices; and a review of partners, including consultants and other service providers.34

The resources expended by organizations in implementing best practices for the prevention of privacy breaches pales in comparison to the above statistics. One rising consideration in risk management is the purchase of privacy liability insurance. Policies may cover damages that arise out of unauthorized access to, collection of, and use or disclosure of personal information that results in harm to employees or third parties; defence expenses as a result of regulatory or criminal investigations; crisis management and notification expenses; and/or network security liability.35 While insurance policies may be costly, organizations may wish to pursue them as a protective measure against the otherwise exorbitant costs entailed in managing and mitigating a privacy breach.

While privacy protection may not always be seen as a main priority, it is indisputable that the effects of a privacy breach can be devastating, both to the affected individuals as well as to the organizations involved. Privacy breaches not only undermine the affected individuals' confidence in the organization responsible for the breach, but also risk adversely influencing consumers' confidence in commercial markets, generally. Privacy breaches risk discouraging consumerism and making individuals increasingly wary of where and how they transact. Recent years have seen an increase in organizational dependence on amassing and analyzing significant amounts of personal information, globally, through electronic databases.

The increasing scope and reach of global privacy breaches will have considerable long-term effects on consumers' confidence in electronic commerce and, consequently, on the global economy in general.

Footnotes

* Authored by Paige Backman, a partner in Aird & Berlis LLP's Corporate Group and the Privacy, Technology and Communication Industry Team. Acknowledgement and great appreciation is extended to Karen Levin, an articling student at Aird & Berlis LLP for her assistance with this paper.

1. In January 2007, for example, a laptop computer containing the personal health information of approximately 3,000 patients at the Hospital for Sick Children was stolen from the car of a physician, who had taken the laptop home to do data analysis. See discussion in Curtis Rush's "Sick Kids' laptop theft angers watchdog" (7 March 2007), online: The Star http://www.thestar.com.

2. In September 2008, for example, an Agriculture and Agri-Food Canada (AAFC) IT system administrator discovered that two servers had been hacked and that approximately 60,000 personal data records of agricultural producers were exposed. See "Findings under the Privacy Act: Amateur hacks into Agriculture and Agri-Food Canada computers" (18 June 2010), online: Office of the Privacy Commissioner of Canada http://www.priv.gc.ca.

3. See, e.g., "Johns Hopkins University e-mail attachment error exposed personal info" (22 October 2010), online: PHIprivacy.net http://www.phiprivacy.net. In this case, approximately 85 staff members at Johns Hopkins University received an e-mail from the Applied Physics Laboratory's benefits office that contained an incorrect attachment, identifying names, Social Security numbers, and birthdates on 692 dependents of the Lab's staff members.

4. Jaikumar Vijayan, "Heartland breach expenses pegged at $140M –so far" (10 May 2010), online: Computerworld http://www.computerworld.com.

5. "Heartland settles with MasterCard over data breach" (20 May 2010), online: InfoSecurity http://www.infosecurity-us.com.

6. Jonathan Stempel, "Bank of NY Mellon data breach now affects 12.5 mln" (28 August 2008), online: Reuters http://www.reuters.com.

7. Connecticut Department of Banking, "News Release: Department of Consumer Protection and Department of Banking Announce Settlement with Bank of New York Mellon for 2008 Data Breach" (3 February 2008), online: State of Connecticut http://www.ct.gov.

8. Sharon Guadin, "T.J. Maxx Breach Costs Hit $17 Million" (17 May 2007), online: InformationWeek http://www.informationweek.com.

9. Ibid.

10. Ki Mae Heussner, "10 of the Top Data Breaches of the Decade" (14 June 2010), online: ABC News http://abcnews.go.com.

11. "TJX, MasterCard settle" (3 April 2008), The Globe and Mail, online: Thomson Reuters, 2008 WLNR 6236375.

12. Linda McGlasson, "TJX, Visa Agree to $40.9 Million Payout for Data Breach" (4 December 2007), online: Bank Information Security http://www.bankinfosecurity.com.

13. Jaikumar Vijayan, "TJX agrees to settle another breach lawsuit for $525,000" (3 September 2009), online: Computerworld http://www.computerworld.com.

14. Mitch Lipka, "T.J. Maxx owner pays $9.75 million, settles with 41 states over massive data breaches" (23 July 2009) online: WalletPop http://www.walletpop.com.

15. Wendy Gross, "TJX Enters into Proposed Settlement Agreement of Customer Class Actions" (8 August 2008), online: McCarthy Tetrault http://www.mccarthy.ca.

16. Jaikumar Vijayan, "Names, contact info on 6M TD Ameritrade customers compromised" (14 September 2007), online: Computerworld http://www.computerworld.com.

17. Larry Barrett, "Certegy Settles in Florida Data Breach Incident" (19 April 2010), online: eSecurity Planet http://www.esecurityplanet.com.

18. Ponemon Institute, LLC, "2009 Annual Study: Global Cost of a Data Breach" (April 2010), online: EncryptionReports.com http://www.encryptionreports.com/download/Ponemon_COB_2009_GL.pdf.

19. Ibid.

20. The corollary of this review has been that management then needs to rationalize such practices to ensure the least amount of personal information is collected, used and disclosed and, otherwise ensure compliance with laws.

21. Encryption, for example, has become the standard in Canada for storing personal or health information on portable devices. See, e.g., "Level of security on stolen laptops simply not acceptable, says Commissioner" (24 June 2009), online: Office of the Information and Privacy Commissioner of Alberta http://www.oipc.ab.ca/Content_Files/Files/News/NR_AHS_Laptops_Jun_09.pdf and "Hundreds of Ont. patient health files stolen: Privacy commissioner calls for more data security education" (4 August 2010), online: CBC News http://www.cbc.ca.

22. See, e.g., "How safe is your scan? Copy machines spill identity secrets" (19 October 2010), online: CBC News (http://www.cbc.ca), where it is revealed that personal information that has been scanned into certain digital photocopier hard drives can be easily tapped, unless the units are wiped clean.

23. As laws relating to privacy are in relative infancy, and because technologies used to collect, store, transfer, process and steal personal information are always evolving, there may be circumstances when an organization may not know how to develop adequate privacy policies to ensure appropriate protection relating to the personal information in its care and for which it is responsible. In those circumstances, organizations should approach their legal departments and privacy or data commissioners.

24. When a traveller complained to the Office of the Privacy Commissioner of Canada after discovering a passenger manifest in a recycling bin at Toronto's train station, the Office of the Privacy Commissioner launched an investigation that showed that the information printed on the document could have allowed unauthorized access to personal information. The train company, VIA Rail, made immediate changes to its procedures for handling passenger manifests and directed all employees, as a result, to shred such documents before recycling them. See "Findings under the Privacy Act: VIA updates procedures after passenger finds manifest in recycling bin" (18 June 2010), online: Office of the Privacy Commissioner of Canada http://www.priv.gc.ca.

25. See discussion on disposal of personal information and best practices at "Audit Report of the Privacy Commissioner of Canada: Personal Information Disposal Practices in Selected Federal Institutions, Section 37 of the Privacy Act, Final Report 2010" (2010), online: Office of the Privacy Commissioner of Canada http://www.priv.gc.ca.

26. "Key Steps for Organizations in Responding to Privacy Breaches" (28 August 2007), online: Office of the Privacy Commissioner of Canada http://www.priv.gc.ca.

27. See, e.g., PIPEDA Case Summary #2008-395: Commissioner initiates safeguards complaint against CIBC (25 September 2008), online: Office of the Privacy Commissioner of Canada http://www.priv.gc.ca. In this case, the Office of the Privacy Commissioner of Canada (OPC) had criticized one of Canada's largest banks, the Canadian Imperial Bank of Commerce (CIBC), for its mishandling of a privacy breach situation. The bank had shipped a disk drive with unencrypted personal information of more than 400,000 clients from Montreal, Quebec to Markham, Ontario. When the package had arrived in Ontario, the disk drive was missing. The OPC noted that the CIBC should not have waited 24 days before notifying the Montreal police of the breach.

28. The Minister of Industry, the Honourable Tony Clement, recently introduced new legislation in the House of Commons that would legislate a data breach notification requirement for private-sphere organizations. See Bill C-29, An Act to amend the Personal Information Protection and Electronic Documents Act, 3rd Sess, 40th Parl, 2010, cl 10 (first reading 25 May 2010).

29. See, e.g., section 445.72 of Michigan's Identity Theft Protection Act, 2004, Act 452 (available online: Michigan Legislature http://www.legislature.mi.gov), which provides that the aggregate liability of a person for civil fines for breach notification failures arising from the same security breach can cost up to $750,000.00.

30. "Key Steps for Organizations in Responding to Privacy Breaches" (28 August 2007), online: Office of the Privacy Commissioner of Canada http://www.priv.gc.ca.

31. Section 34.1 of the Personal Information Protection Act, S.A. 2003, c. P-6.5

32. Ibid, Section 37.1

33. A positive example of how to manage the after-effects of a privacy breach can be seen in the Canada Border Services Agency's handling of a recent privacy breach. The Agency had released a document to the public that had accidentally included a page containing personal information belonging to other individuals. Upon discovery of the breach, the Canada Border Services Agency pledged to review its procedures and to implement a manual quality assurance process of all information that it releases, such that similar data breaches do not occur in the future. See "Findings under the Privacy Act: Software glitch at border services agency triggers data breach" (18 June 2010), online: Office of the Privacy Commissioner of Canada http://www.priv.gc.ca.

34. "Key Steps for Organizations in Responding to Privacy Breaches" (28 August 2007), online: Office of the Privacy Commissioner of Canada http://www.priv.gc.ca.

35. Murn Meyrick, "Privacy Liability and Insurance", available online: Nymity http://www.nymity.com/~/media/Whitepapers/ESRI%20Chapter%20on%20Privacy%20Insurance.ashx.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Paige Backman
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions