While any unauthorized access to personal information constitutes a security breach, not all security breaches will have the same consequences. Organizations need to examine the nature of a breach and the risk of harm to the subject individuals, through identity theft or otherwise, when deciding on an appropriate response. This article reviews some current Canadian best practices in maintaining data security and in responding when that security is breached.
Preventing Data Security Breaches
Often, the best defence is a good offence. Organizations can take the offensive against data security breaches by acting to prevent them before they happen. In its 2005/2006 Annual Report, the B.C. Commissioner highlighted the need to guard against theft and improper disposal of personal information. Recently, the importance of maintaining sophisticated technological safeguards when using, storing or disposing of personal information was highlighted when the Ontario Commissioner issued an order against Toronto’s Hospital for Sick Children in connection with an off-site theft of a laptop containing personally identifiable health information. The laptop had standard password login protection, but the Ontario Commissioner found that this was insufficient given the sensitivity of the personal health information in the laptop’s memory. The Commissioner imposed a number of requirements on the Hospital, including:
- Encrypting all personal health information removed from the Hospital in electronic form; and
- Encrypting or making anonymous all personal health information residing on an electronic device (including laptops, desktops, PDAs and other portable devices) not stored on secure servers.
As noted below, under "Steps to Consider", all organizations whose personal data is routinely taken off-site by those using laptops or portable data storage devices should consider implementing policies of this type.
Responding to a Data Security Breach
Inevitably even the best preventive measures will sometimes come up short. Notification is an important consideration whenever there has been a personal information security breach. Currently, neither the Personal Information Protection and Electronic Documents Act (PIPEDA) nor its corresponding provincial legislation require organizations to report breaches to the Privacy Commissioner or to affected individuals (although they do impose a requirement to implement organizational, physical and technological safeguards that are commensurate with the sensitivity of the personal information).
In this respect, Canadian law differs from the U.S., where thirty-five states and the District of Columbia have introduced some form of data breach notification legislation (as of the date of writing). There are some indications that Canadian jurisdictions may eventually follow suit. Of particular note in this regard is a recent submission to the Standing Committee on Access to Information, Privacy and Ethics of the Canadian House of Commons, in which the Office of the Privacy Commissioner of Canada strongly encouraged Committee members to recommend an amendment that would add a breach notification provision to PIPEDA. The Commissioner also noted that she is concurrently working with stakeholders to develop voluntary guidelines. However, while the progress of these proposals will be worth following, there is currently no statutory obligation to notify.
Even though notification is not a legal requirement, it is still often in the interest of an organization whose data security has been breached. In cases that could attract public or media attention, failure to publicize a breach could lead down the road to public criticism and reputational damage. In addition, the harm caused by a breach, notably identity theft, will generally be reduced where those whose personal information has been compromised are made aware of the problem as soon as possible.
In December 2006, the Privacy Commissioners of British Columbia and Ontario jointly published a privacy breach notification assessment tool to assist organizations in responding to a personal information security breach. While not legally binding, the Tool is a useful guide to possible responses to a breach. It addresses four important types of questions:
- Whether to notify affected individuals, considering the following factors:
- Notification requirements under applicable law – e.g. the relevant U.S. law where a company operates in U.S. states with statutory notification requirements;
- Notification requirements arising by contract;
- Risk of identity theft and/or fraudulent activities;
- Risk of physical harm;
- Risk of humiliation or harm or damage to an individual’s reputation; and
- Risk of affecting an individual’s business or employment opportunitie
- When such notification should occur (and the methods of notification, which may be either direct or indirect depending upon the circumstances);
- What content a notification communication should include; and
- Which other organizations to consider notifying.
In connection with the Tool, the B.C. Commissioner released a document setting out the key steps in responding to privacy breaches as well as a privacy breach reporting form. For its part, the Ontario Commissioner released two documents suggesting protocols and best practices for the health sector and government organizations.
Steps to Consider
When determining what safeguards to implement, organizations should consider:
- Protecting personal information residing on a laptop, BlackBerry or other portable device using safeguards commensurate with the sensitivity of the information – technological safeguards such as authentication (biometric or otherwise) and encryption provide significant protection to personal information on portable devices;
- Maintaining secure environments where necessary, including making necessary adjustments to remote access capabilities and other factors that might compromise the integrity of a secure environment;
- Physical safeguards such as restricted areas, locked records and restricting the use of communication and storage media by individuals when accessing personal information;
- Organizational safeguards such as restricting access to a "need to know" basis and regular employee training on the organization’s obligations, policies and procedures;
- Ensuring that personal information is properly disposed of without risking unauthorized disclosure;
- Reviewing safeguards on an annual basis to ensure that they remain effective;
- Reviewing retention policies – these should consider all personal information retained by, or on behalf of, the organization, including personal information residing on operational systems, test environments, archives, service provider systems or otherwise;
- Conducting periodic audits to ensure compliance with safeguard requirements and to address unnecessary or high risk activities, including reviewing:
- what personal information is being collected and whether it is necessary;
- how personal information is being used by the organization;
- any disclosures of personal information by the organization;
- how personal information is being stored and disposed; and
- retention periods.
- Creating an incident response team;
- Evaluating the scope of a breach;
- Breach containment and mitigation;
- Internal notification protocols;
- Examining external notification requirements, whether contractual or legislative;
- Notification of law enforcement authorities where appropriate;
- Media and communication strategies;
- A plan for the notification of affected individuals;
- Remedial steps;
- Monitoring progress of resolution and mitigation efforts; and
- Introducing and implementing measures designed to prevent reoccurrences.
Not all elements of an incident response plan will be used for every personal information security breach. A risk assessment of a security breach should always be conducted to ensure that the response is appropriate to the circumstances and attentive to the distinct types of exposure that different breaches will create.
Finally, it is important to conduct regular reviews of privacy safeguards to ensure that they continue to be appropriate and effective. Organizations should revisit their privacy breach incident response plan from time to time to ensure that any privacy breach they experience will be dealt with as effectively and efficiently as possible and in accordance with current best practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.