The #1 item on my “tough love list” for New Year’s 2013 was “Enough of the Unencrypted USB Keys“.

You won’t have been alone if you didn’t tackle that in the first quarter of 2013.

However, the Information and Privacy Commissioner of Ontario has filmed and posted a “Commissioner’s Corner” that might get this item onto your agenda. Following the latest loss of data in Ontario, Dr. Cavoukian spoke out on the transfer and storage of personal information on unencrypted storage devices.

Some salient quotes from Dr. Ann Cavoukian:

“It wasn’t encrypted; that’s what makes me crazy”

“You cannot allow data, sensitive data especially, to be transferred onto a mobile device, be it a laptop, a USB key, whatever, without encrypting the data”

“It’s not enough to have a policy that says you are supposed to encrypt the data, you have to have that reflected in concrete actions that take that from the policy stage to the front line staff who are doing these things and you have to train the staff […] and you have to give them the means by which they know how to encrypt the data […]”

“Don’t let there be one more data breach like this”

 Message received, Commissioner.

The U.S. Senate is considering a new U.S. federal privacy breach notification law, entitled The Data Security and Breach Notification Act of 2012.  The Bill is currently before the Committee on Commerce, Science and Transportation.

If enacted, the Bill would apply to organizations over which the U.S. Federal Trade Commission has authority (“covered entities”).  For these organizations, the Bill’s provisions would pre-empt a patch-work of state laws dealing with privacy breach notification.  It would not regulate financial institutions or certain health care institutions that are governed by other U.S. federal legislation.

Notably, the Bill recognizes the reality of the outsourcing of data processing and integrates that into a hierarchy of responsibilities so that data breach notification can be implemented in an organized way.  The following are some of the highlights of the Bill:

• Covered entities who own or licence data in electronic form must provide notification to citizens or residents of the United States whose personal information may have been “accessed and acquired by an unauthorized person and that the covered entity reasonably believes has caused or will cause, identity theft or other financial harm.”

• If the number of individuals involved in the data breach exceeds 10,000, then the covered entity must also notify the U.S. Secret Service or the U.S. Federal Bureau of Investigation.

• Third parties who are contracted to maintain, store, or process data in electronic form containing personal information on behalf of a covered entity are required to notify covered entities of security breaches.  At that point, the covered entity is responsible for notification to individuals.

• Internet service providers and other service providers who route data are required to notify covered entities of security breaches affecting the covered entities’ data if those covered entities can be reasonably identified. Once notified, the covered entities are responsible for notification to individuals.

• Notification to individuals is to be made “as expeditiously as practicable and without unreasonable delay, consistent with any measures necessary to determine the scope of the security breach and restore the reasonable integrity of the data system that was breached.”  However, notification may be delayed in the interests of a criminal investigation or national security.

• Generally, notification will be direct notification and may be made by mail, telephone or electronic means. The content of the notice is specific: the date, estimated date, or estimated date range of the breach of security; a description of the personal information that was accessed and acquired, or reasonably believed to have been accessed and acquired, by an unauthorized person as a part of the security breach; and contact information to find out more about the breach and the information that the covered entity maintains about the individual. If the covered entity does not have sufficient contact information or the cost would be excessive, the covered entity may provide notice by certain substitute means.

The proposed U.S. Bill has a limited reach.  It is focused on personal information that is highly sensitive in terms of identity theft and fraud.  The definition of “personal information” is limited to an individual’s first name or first initial and last name in combination with any one or more of the following:  (a) social security number; (b) driver’s license number, passport number, military identification number, or other similar number issued on a government document used to verify identity; or (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

Meanwhile, in Canada, amendments to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) remain stalled.  The amendments would introduce privacy breach notification to provinces other than British Columbia, Alberta (which already has privacy breach notification) and Quebec.  See my post for a run-down.

When comparing the proposed U.S. and Canadian legislation, one issue that jumps out is that the Canadian Bill is concerned with a broader array of data security breaches.  This is not necessarily a good thing.  

First, the Canadian amendments do not clearly distinguish organizations that are primarily accountable for personal information from outsourcing companies who may process or store the information and service providers who may route data.  Instead any organization who “controls” the data is responsible for data breach notification.  ”Control” is not defined.  Previously, the Office of the Privacy Commissioner of Canada has concluded that information may still be controlled by an organization even though not in its possession.  This makes sense and is consistent with the law in other areas, such as discovery obligations in litigation.  However, it is possible that more than one organization may “control” the information.  We might productively debate whether a hierarchy of responsibility, such as in the U.S. proposed Bill, would provide clarity and make breach notification more manageable as well as more clearly define who is accountable for the implementation of breach notification.

Second, the Canadian amendments apply to all types of personal information. It will be up to organizations to determine whether the breach is “material” based on assessments of the sensitivity of the personal information. No legislative guideposts are provided with respect to sensitivity. Furthermore, the standard for individual breach notification rests on whether the individual might suffer a real risk of significant harm. The types of harm are broad. If the Alberta experience is indicative of the approach that might be taken federally, the result will be an expansive interpretation of what might constitute a real risk of significant harm. Although the individual breach notification requirement in the proposed U.S. Bill is also related to harm, it is more narrowly focused to identity theft and financial harm. While we might debate whether these protected interests are too narrow, there may be utility in revisiting whether the Canadian law is too vague too provide organizations with meaningful guidance.

The American Bar Association has more on the U.S. Bill here.

Canada’s House of Commons has recessed.  Members of Parliament aren’t scheduled to return until September 17, 2012.  By then, Bill C-12, An Act to amend the Personal Information Protection and Electronic Documents Act (short title: Safeguarding Canadians’ Personal Information Act) will have been on the order paper for almost a year, having been introduced in the House of Commons on September 29, 2011.  The Bill doesn’t appear to be moving any quicker than its predecessor, which died when Parliament was dissolved in March 2011.

Bill C-12 would give effect some of the legislative reforms recommended following the last 5-year review of PIPEDA (which happened more than 5 years ago!).  If the Bill could ever get some traction and make it into force, it would (among other things):

• Create a new definition of “business contact information“.  “Business contact information” is defined as an individual’s name, position or title, work address, work telephone number, work facsimile number, work e-mail address and any similar information about the individual.  This information would not be subject to PIPEDA if the business contact information is collected, used or disclosed solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business or profession.  Although still an important reform, the regulation of the use of this information (particularly e-mail addresses) may be overtaken for practical purposes by Canada’s Anti-Spam Legislation (CASL) when that legislation comes into force.  My colleague, Margot Patterson, has some excellent explanations of CASL on this blog.

• Specify that consent means informed consent.  Consent to collection, use or disclosure of their personal information is valid only if “it is reasonable to expect that the individual understands the nature, purpose and consequences of the collection, use or disclosure to which they are consenting”.

• Provide for broader disclosure exceptions for law enforcement purposes. Organizations would be permitted to disclose personal information without consent where the disclosure is requested “for the purpose of performing policing services”.  ”Policing services” is undefined.   Organizations would also be permitted to disclose information to other organizations (not just government institutions) to investigate a breach of an agreement or the laws of Canada or province or, in certain circumstances, to prevent, detect or suppress fraud.

•  Add a prospective business transaction exception.  Businesses could disclose personal information to determine whether to proceed with a business transaction (such as a merger or asset sale) and then to complete it.

• Enact breach notification provisions.  Organizations would be required to notify the Privacy Commissioner of a material breach of security of personal information.  In addition, organizations would be required to notify the affected individuals if it is reasonable to believe that the breach creates a real risk of significant harm to the individual.

You’ve heard reports that your social or professional networking service provider’s systems or your e-mail service provider’s systems may have had a security breach allowing hackers to see your password.

What do you do?  You might change your password for that account, right?  Sure, but you probably won’t be able to stop there if you want to protect yourself.  You need to develop a more complete response.  First, you need to map the extent of the risk.  Here are a few ideas:

1. Make a list of all accounts where you use the same User ID as the potentially compromised account. If you are very active on-line, this could be a very long list. Quite often your e-mail address will be your user ID for multiple accounts. For example, LinkedIn, Facebook, Google, online shopping accounts, professional association websites, online access to employment benefits providers, and applications at the office might use the same email address as the User ID for the application.  If you ever wondered why Canadian Privacy Commissioners think your e-mail address is personal information, here’s why!

2. Now make a list of all User IDs that are visible on the compromised account or are connected with the compromised account. What do I mean by this? You might have listed your Twitter address on a social or professional networking page. Is that Twitter address your User ID to log into Twitter? If so, add it to the list. Have you entered other email addresses? If so, add them to the list as well as all the other accounts that use these same credentials as User IDs.

3. Now put a mark beside every account that shares the same password with the compromised account or uses a variation on the password used for the potentially compromised account. Yes, you are supposed to have a unique password for each account but we all know that most of you don’t. You have a few that you rotate or use as variations of one another.

4. Here’s your last preparatory step: make a list of all applications that are launched from accounts listed in #3 and that store your passwords for other applications if they are not already on your lists. Put a mark beside those too because they may have been compromised.  For example, does the application you use for Twitter also store the password for and post to Facebook on your behalf?

Now you have a map of the potential problem.  It is probably much bigger than just changing the password for the potentially compromised account. If a hacker knows the password that is associated with a User ID or group of User IDs, the hacker has a starting point to hack your other accounts that you have helpfully listed or connected for the world (or at least the hacker) to see! If you only change the account that has been potentially compromised, you have locked the front door but left the windows and side door open. If you want to increase your protection, you should be thinking about changing all of these passwords.

Notice that I have not mentioned the potentially compromised account yet? That’s because you should consider doing something different for that account. If you are not yet certain whether the alleged security breach has been fixed, you should chose a password that you will not use for any of the other accounts – not even a variation on what you will use for any other accounts.  Otherwise, you might have to go through this all again in short order once the breach has been fixed.  You might also wish to temporarily suspend any permissions you have given to the potentially compromised account to access your other accounts (for example, if you aggregate social networks or you use one account to post into another account).

Last step: You should monitor your accounts closely, particularly if they contained sensitive personal information (such as financial information) that could be used for identity theft.  If you are a consumer and you have questions about identity theft, you may also wish to start with the Ontario Government’s pamphlet on protecting your identity.

On April 17, 2012, the Office of the Privacy Commissioner of Canada and its counterparts in the provinces of British Columbia and Alberta announced a new guidance document on accountability, entitled, “Getting Accountability Right with a Privacy Management Program“.

The accountability guidance assists organizations in considering the following essential elements of demonstrating accountability under privacy legislation in Canada.  In particular, privacy legislation in Canada is typically interpreted as requiring:

• Privacy Officer. The appointment of a designated person to oversee compliance with Canadian privacy legislation.  In larger organizations, this may require a privacy group or office.
• Policies & Education. The establishment of privacy policies and processes for training and on-going training of employees with respect to those policies.
• Governance of Third-Party Processors. The inclusion of privacy guarantees and audit rights with respect to the organization’s third-party processors of personal information.
• Inquiries & Complaints. Systems to identify requests for access and correction of personal information or complaints regarding the collection, use, retention or disclosure of personal information and trained staff to respond to those requests and complaints. This also requires organizations to understand what personal information they have collected and who has custody of it.
• Risk Assessment. Organizations are responsible for engaging in risk assessment in all aspects of the life-cycle of personal information – collection, uses, new uses, retention, disclosure and destruction of information – and to demonstrate risk-minimization strategies through administrative, physical and technological procedures.
• Breach Response Procedures. Organizations should have breach detection and response protocols that are compliant with general privacy principles and any applicable mandatory breach notification requirements.

In previous posts, I outlined the mandatory breach notification provisions under the Alberta Personal Information Protection Act (“PIPA”), I examined the test used by the Alberta Privacy Commissioner in determining whether to order individual breach notification and I described the consequences of failing to comply with the mandatory breach notification provisions of PIPA.

This post picks up from where I left off by describing the proposed amendments to the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) introduced in September 2011 in Bill C-12, which has not yet progressed further than First Reading in the Canadian House of Commons.  In the next post in this series, I will compare these proposed amendments federal amendments to the existing Alberta provisions.  Future posts will track the progress of Bill C-12.

Test for notification to the federal Privacy Commissioner

The proposed amendments to PIPEDA require an organization to notify the Office of the Privacy Commissioner of Canada of a ”material breach of security safeguards” involving personal information under the control of the organization.  

What is a breach of security safeguards?

A “breach of security safeguards” is defined to mean the loss of, unauthorized access to, or unauthorized disclosure of personal information that results from either a breach of security safeguards described in the privacy principles in Schedule 1 to PIPEDA or the failure to establish safeguards in accordance with those privacy principles.

In summary, the security safeguard principles set out in Schedule 1 of PIPEDA are:

• personal information must be protected against loss, theft, and unauthorized access, disclosure, copying, use, or modification;
• sensitive information should be safeguarded by a higher level of protection;
• methods of protection should include: (a) physical measures, for example, locked filing cabinets and restricted access to offices; (b) organizational measures, for example, security clearances and limiting access on a “need-to-know” basis; and (c) technological measures, for example, the use of passwords and encryption; and
• disposal and destruction should be through secure methods.

What is a material breach?

Relevant factors for determining whether a breach of security safeguards is material include:

• the sensitivity of the personal information;
• the number of individuals whose personal information was involved; and
• an assessment by the organization that the cause of the breach or a pattern of breaches indicates a systemic problem.

Test for individual breach notification

An organization must make individual breach notification if:

• it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual; and
• there is no other law that would prohibit such disclosure.

What is significant harm?

“Significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

Relevant factors for determining whether there is a “real risk” of significant harm include:

• the sensitivity of the personal information involved in the breach; and
• the probability that the personal information has been, is being or will be misused.

How quickly must notification occur?

Notification to the Privacy Commissioner must be made as soon as is feasible after discovering the breach. Notification to individuals must be made as soon as is feasible after concluding that the test for individual beach notification must be met.  Notification must occur in a prescribed form and must generally be direct notification.

Test for third party notification

The proposed amendments also require an organization that makes individual breach notification to notify other organizations or government institutions if the risk of the harm could be mitigated by doing so.  For example, this might include making a notification to credit reporting agencies in cases where there is a real risk of identity theft that could be ameliorated with cautions on credit reports.

Penalties for non-compliance

Complaints regarding non-compliance with the mandatory breach notification provisions may be made to the Privacy Commissioner. The Privacy Commissioner may investigate and make recommendations and findings.  Although the Privacy Commissioner does not have order-making powers, complainants may seek monetary damage awards before the Federal Court in certain circumstances.

In two previous posts, I provided an outline of privacy breach notification obligations under the Personal Information Protection Act (Alberta) and I discussed the factors that the Alberta Privacy Commissioner considers when deciding whether to make an order requiring an organization to notify individuals of a privacy breach. This post describes the consequences to an organization of failing to comply with privacy breach notifications under the Alberta Act.

An organization over which the Alberta Privacy Commissioner has jurisdiction must make a notification to the Alberta Privacy Commissioner of a breach that a reasonable person would consider to involve a real risk of significant harm.  The Canadian approach to jurisdiction requires that there be a real and substantial connection regarding the subject matter of the incident and Alberta before the Alberta Privacy Commissioner claims jurisdiction.

The outer limits of the real and substantial connection test in respect of privacy issues has not been fully developed.  The test will be satisfied where the organization (other than a federally regulated organization) has a place of business or registered office in Alberta. Federally regulated organizations are subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).

When dealing with foreign organizations, the real and substantial connection test is likely to be satisfied where a foreign organization has representatives in Alberta conducting business on its behalf collecting personal information of residents of Alberta even though that organization does not maintain an office in Alberta. The test may also be met if a foreign organization is engaged in non-trivial activities in Alberta through electronic means that involve the collection, use and disclosure of personal information of persons resident in Alberta even when the organization does not have representatives in Alberta. However, each situation involving foreign organizations must be assessed on a case by case basis.

If the Alberta Act applies, then it is an offence under paragraph 59(1)(e.1) of the Alberta Act to fail to provide the required notification to the Privacy Commissioner of a privacy breach that meets the harm-based threshold discussed in Wednesday’s post.

It is also an offence under paragraph 59(1)(f) not to comply with an order of the Privacy Commissioner to provide notification to affected individuals, which was discussed in Thursday’s post.

These offences are punishable by a fine of up to Cdn. $10,000 for an individual and Cdn. $100,000 for a corporation or other entity. There is a two-year limitation period on prosecutions.

In August 2011, the Alberta Privacy Commissioner reported that there had been 90 reported breaches in 16 months. Most of the breaches involved human error, including mundane email, fax or regular mail errors and stolen or lost unencrypted electronic devices, improper record and electronic media destruction.

In yesterday’s post, I provided a basic outline of privacy breach notification obligations under the Personal Information Protection Act (Alberta). I explained that the Alberta Privacy Commissioner may order an organization to make individual privacy breach notification if there is a “real risk of significant harm” as a result of the loss of, unauthorized access to, or unauthorized disclosure of the individual’s personal information. 

In deciding whether there is a “real risk of significant harm,” the Alberta Privacy Commissioner will consider:

• whether there is some damage, detriment or injury that could be caused to an individual as a result of the privacy breach;
• whether this harm is important, meaningful and with non-trivial consequences or effects;
• whether the likelihood of this harm is more than mere speculation or conjecture; and
• whether there is a causal relationship between the privacy breach and the possible harm.

The Alberta Privacy Commissioner typically considers the loss of, or unauthorized access to, a social insurance number, driver’s licence number, or financial and credit card information to pose a real risk of significant harm to an affected individual.  This will be true even if the more sensitive information relates to expired credit cards or other potentially stale information because this information could still be used for identity theft and phishing purposes.  As a general observation, therefore, organizations should expect that if sensitive personal information is lost in an unencrypted form, the Alberta Privacy Commissioner will conclude that the loss poses a real and not speculative risk.  

The risk of identity theft is not the only type of harm that is of concern to the Alberta Privacy Commissioner.  Information as varied as background checks or a person’s designated beneficiaries to pension or insurance policies may give rise to hurt feelings, humiliation and damage to reputation and, therefore, pose a “real risk of signficant harm” to the affected individuals. 

In determing whether there is a “real risk of significant harm” the Alberta Privacy Comissioner employs a contextual analysis.  Personal information such as name and e-mail address are considered by the Alberta Privacy Commissioner to be of moderate sensitivity. However, this information may be combined with other information that would increase its sensitivity. For example, the Alberta Privacy Commissioner will consider whether the personal information might involve information regarding a customer-merchant relationship that could be used in a targetted phishing attempt.

As mentioned in my previous post, the Alberta Privcy Commissioner has discretion to permit general notification where individual notification would be unreasonable.  The Alberta Privacy Commissioner has permitted general notification, such as positings on websites and physical locations, in situations where the organization demonstrates that the contact information on file is “stale”and, therefore, individual notification attempts would be pointless.

In tomorrow’s post, I will describe the consequences for failing to comply with Alberta’s mandatory breach notification provisions.

In preparing compliance manuals, some foreign e-commerce businesses entering into Canada may ask about their mandatory privacy breach notification responsibilities.

So, what’s the situation in Canada? Today’s post will describe the mandatory breach notification provisions in the Personal Information Protection Act (Alberta).  Tomorrow’s post will describe the test used by the Alberta Privacy Commissioner for determining whether individual notification is required.  Friday’s post will describe the offences for failing to make the required notification. Future posts will outline the proposed mandatory breach notification provisions for the Personal Information Protection and Electronic Documents Act (Canada), compare these provisions with those in selected U.S. and European jurisdictions, describe mandatory breach notification provisions relating to personal health information, and comment on the legal case voluntary breach notification for all types of personal information in Canada.

Caution: This series of posts provides general information about the mandatory breach notification provisions. If your organization has had a privacy breach, you should seek legal advice about your situation to ensure you meet your legal responsibilities.

In May 2010, the Province of Alberta was the first jurisdiction in Canada to enact mandatory breach notification provisions. As of February 1, 2012, Alberta remains the only jurisdiction in Canada that has enacted mandatory breach notification provisions governing personal information (leaving aside special legislation governing personal health information). 

The Personal Information Protection Act (Alberta) uses a harm-based threshold for determining whether privacy breach disclosure is required. Pursuant to subsection 34.1(1) of the Alberta Act, an organization must provide notice to the Alberta Privacy Commissioner of any incident involving (i) the loss of or (ii) the unauthorized access to or (iii) the disclosure of personal information if a “reasonable person” would consider that there exists a “real risk of significant harm” to an individual as a result of the privacy breach.

If the harm-based threshold is met, the Alberta Privacy Regulations provide that the organization must advise the Alberta Privacy Commissioner in writing of the following information:

• a description of the circumstances of the loss or unauthorized access or disclosure;
• the date on which or the time period during which the loss or unauthorized access or disclosure occurred;
• a description of the personal information involved in the loss or unauthorized access or disclosure;
• an assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure;
• an estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure;
• a description of any steps the organization has taken to reduce the risk of harm to individuals;
• a description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure; and
• the name of and contact information for a person who can answer the Alberta Privacy Commissioner’s questions about the loss or unauthorized access or disclosure.

Following notification, the Alberta Privacy Commissioner may require that the organization notify an individual who may be subject to a real risk of significant harm as a result of the privacy breach. If notification is required, the notification must generally be direct (as opposed to indirectly through news releases or other general communications).  However, the Alberta Privacy Commissioner may permit indirect notification if direct notification would be unreasonable.  

The Alberta Privacy Regulations provide that the notice to individuals must include the following information:

• a description of the circumstances of the loss or unauthorized access or disclosure,
• the date on which or the time period during which the loss or unauthorized access or disclosure occurred,
• a description of the personal information involved in the loss or unauthorized access or disclosure,
• a description of any steps the organization has taken to reduce the risk of harm, and
• contact information for a person who can answer, on behalf of the organization, questions about the loss or unauthorized access or disclosure.

In my next post in this series, I’ll discuss the factors that the Alberta Privacy Commissioner considers in evaluating whether notification is required.