Mobile Edition
Print
Get the Mag
Weekly UpdatesBreaches in personal information security can take many forms. They can be externally driven by hackers or internally motivated by careless, or even cautious, employees who find themselves in unfortunate circumstances.
In January 2007, the Canadian Imperial Bank of Commerce (CIBC) reported that its mutual fund subsidiary, Talvest, lost a backup drive in transit from Montreal to Toronto that contained personal information on approximately 470,000 clients. Information such as addresses, signatures, names, dates of birth, social insurance numbers and financial information was contained on the drive. The loss was significant enough that the federal Privacy Commissioner elected to launch a probe of the situation. (1) The disclosure of the Talvest event occurred a few weeks after an announcement by TJX Co., operator of retail stores including TJ Maxx, Winners, and Homesense, among others, that it had experienced a serious (and extended) breach of its computer systems with a potential compromise of personal information. (2) Although the above examples occurred on a significant scale, privacy breaches also occur on a simpler scale. In an example of a public sector privacy breach (that could easily occur in a private-sector business) happened when a laptop, belonging to an employee of the Hospital for Sick Children in Toronto, was stolen from a parked vehicle. The laptop contained personal health information in the form of research data on participants involved in research studies. (3)
Businesses should already have policies and procedures that are appropriate to address collection, control, use, and disclosure of personal information in a manner that meets their legal obligations and desired best practices. The focus of this article is what an organization should do when privacy breaches occur. Any reasonable risk management plan will do more than just take steps to minimize the crystallization of risk. Unless the risk can be completely eliminated, a responsive plan should be in place should a particular risk materialize.
Federal privacy breach obligations
Some recent privacy breaches have exposed what some commentators argue is a flaw in federal privacy legislation that is otherwise intended to be comprehensive in nature. The federal Personal Information Protection and Electronic Documents Act (PIPEDA) does not address what obligations a business has in situations where privacy breaches have occurred in relation to personal information within its control. In many situations, a business will be aware when the security and integrity of personal information has been compromised well before the affected individual(s).
In a recent committee review of the federal PIPEDA, a number of parties made submissions that there should, in fact, be statutory obligations relating to what actions are required of a company if there has been a breach of the security obligations within the Act. This includes mandatory disclosure to affected individuals. However, at this point, Parliament has not taken any steps to alter the legislation. Provincial private sector privacy legislation is consistent with federal legislation as it does not require privacy breaches to be disclosed to affected individuals.
Privacy breach response plan
What action should be taken once a privacy breach occurs? As with other risk situations, there should be a plan in place that will direct how such matters need to be handled before an actual incident occurs. A response plan should address matters such as identifying the individuals involved in handling the failure along with a series of immediate actions. This should include a thorough investigation to determine what caused a breach (the extent of which will vary depending on the nature of the breach) and rectification of any procedural or technology failures as soon as possible if the event is not a strictly isolated occurrence. It is important to notify essential individuals in the organization that an incident has occurred. Key employees should set the tone for how the company responds. Appropriate communication is also an essential part of the response plan.
An inevitable question that arises is whether individuals whose personal information has been compromised should be notified about the breach. In terms of notification, there are two approaches to managing disclosure where there is permitted discretion. One approach suggests that notification should be provided in the event of any breach because it may come to the attention of others. Should this happen, a company may face significant public relations challenges. Do not assume that the "injured" individual(s) won't find out about the information breach. Although some consideration must be given to the form and scale of communication that is used, from the perspective of treating individuals as valued customers (or employees should it involve employee information) one must also seriously consider taking the initiative to advise individuals that the integrity of their personal information held by the company has been compromised. In some situations, particular governing legislation (e.g., Ontario's Personal Health Information Protection Act) may require disclosure.
To avoid over notification and needless costs, it is perfectly acceptable not to disclose every breach that occurs. At least one U.S.-based privacy advocate has suggested that there should be a clear risk of danger or harm to a customer before a company elects to notify the customer. If opting to disclose, guidance is available from the Privacy Commissioner's office. An organization should have a plan that is business appropriate, and provides direction.
Related to the foregoing is the consideration of whether the office of the privacy commissioner, who might have jurisdiction over the matter, should be advised of the breach. At least one organization, the Hospital for Sick Children, received commendation from a Privacy Commissioner for proactively bringing a privacy breach to the commissioner's attention. (4) It did not prevent the commissioner from conducting an investigation and rendering findings, but the fact that the hospital had been openly cooperative accompanied most public reports about the incident. The hospital at least mitigated the potentially negative public response with some positive comments from the provincial privacy commissioner. Although current private sector privacy legislation does not generally mandate disclosure to a privacy commissioner, this could well change in the future.
Similar to most risk management plans, a response plan for privacy breaches should be reviewed on a regular basis and amended as necessary. It is possible that the nature of the information being collected, technology, and/or storage practices could change over time and necessitate appropriate revisions to a company's plan. A company does not want a plan that provides an ineffective response if/once implementation becomes necessary.
The management of personal information continues to be a challenge for businesses. Business operators must be sensitive to actual legal obligations in this respect, as well as public perception. The attendant downside risk of both provides incentive to plan ahead with respect to privacy breaches.
Darren Charters is a continuing lecturer of business Law in the School of Accountancy, University of Waterloo. He has taught, written, and consulted on privacy matters.
(1) http://www.softnews.ca/index.php?name=News&file=article&sid=42
(2) http://www.infoworld.com/article/07/01/17/HNtjxbreach_1.html
(3) http://www.sickkids.ca/mediaroom/custom/laptop07.asp
(4) This incident fell under the jurisdiction of the Ontario Personal Health Information Protection Act (PHIPA) which does mandate disclosure to affected individuals but not the Provincial Privacy Commissioner's Office.
FEED