Originally published on CyberInquirer.
Recent unauthorized access to British Columbia Institute of Technology's computer network, which contained personal medical information of approximately 12,680 individuals, is yet another reminder of risks of exposure to data breaches. That none of the data on BCIT's computer network was compromised or misused is reflective of a low-profile non-hacker intrusion, and of the ease with which computer networks can be infiltrated. Indeed, a sophisticated hacker would know better than to leave massive amounts of data, rightly labeled by some as the "oil" of the 21st century, uncompromised. More curious than uncompromised data, however, is BCIT's notification in the absence of an actual data breach, and mandatory breach notification provisions under B.C. privacy law.
To analogize the recent unauthorized access to BCIT's computer server to a bricks and mortar scenario, consider an intrusion into a house whose front door was mistakenly left unlocked by its owner. An intruder enters the home, spends some time watching Life is Beautiful on a wide screen plasma TV mounted next to a collection of Rémy Martin Louis XIII (a pricy brand of cognac). After sometime, the intruder finally leaves with a generic white cardboard box. To the extent that the break-in on BCIT's computer network was designed to use its servers for downloading and uploading foreign films, leaving the medical information of 12,680 individuals uncompromised, the house burglary scenario is not too dissimilar with what occurred in the cyber world with BCIT's network.
We live in a global knowledge economy. Virtually every service industry sector (financial, insurance, legal, medical, publishing, educational, etc.) is heavily reliant upon information. As early as 1983, CEOs of large banks were labeling data as the new oil of modern day economies. The value of information is not the information itself but what it enables its controller to do on a larger scale. Consider this next example. In 1970, the U.S., through data gathered on a fleet of satellites, became aware of Brazil's coffee crop failure before Brazilians knew. Had Brazilians not become aware of their crop failure in time, foreign speculators would have bought up coffee futures at a far lower price based on the coffee shortage, with disastrous effects on the Brazilian economy. As the awareness of the value of data continues to grow, privacy and data are increasingly threatened, and companies are increasingly faced with the prospect of massive and costly data breaches.
On a micro scale, one website estimates a user's web browser history to be worth $USD57, digital communication history at $USD57.00, a social security number at $240.00, and an individual's health history (medical records, diet, health routines) at $USD38 (hence the term "data-banks"). These figures provide some indication as to why Google is worth approximately 111.5 billion dollars, and Facebook 85.35 billion dollars, but also why BCIT averted itself a potentially hefty class action suit such as the one experienced in 2009 Durham Ontario after a nurse misplaced a USB containing the information of over 83,000 patients.
Aside from Ontario, New Brunswick, and Newfoundland and Labrador, which have breach notification provisions in health care related privacy laws, Alberta is the only province to have a blanket breach notification provision under its privacy law. That BCIT provided notification despite there being no mandatory breach notification requirement under B.C. law demonstrates a growing sense of accountability by organizations and businesses towards Canadians. At the Federal level, this growing sense of accountability is manufacturing support for Bill C-12: An Act to Amend the Personal Information and Electronic Documents Act, which would impose a mandatory breach notification requirement across Canada. Thus, in the future, organizations and businesses that fail to maintain secure computer networks and that encounter sophisticated hackers may face not only costly class action lawsuits, but may also see their reputation, a principle asset in dealing with consumers, clients, citizens, and patients, significantly affected by mandatory breach notification requirements.
www.cozen.comThe content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
