INTERNATIONAL DATA BREACH
RESPONSE - A PRIMER
Shaun Brown, Partner, nNovation LLC,
[email protected]
Shawn Melito, Director, Kivu Consulting, Inc.,
[email protected]
AGENDA
Law
Canadian Legislative Landscape
Overview of Breach Notification
Requirements in Canada
Alberta PIPA Breach
Notification
PIPEDA Breach Notification
(coming soon)
Health Privacy Law Breach
Notification
International Considerations
(US & EU)
Data Breach Class Actions
Logistics
Scenario 1 – Large Canadian
Retailer
Scenario 2 – Worldwide
Exposure
Questions
Law
PRIVATE SECTOR LEGISLATION
Personal Information
Protection Act
Act respecting the
protection of personal
information in the
private sector
PIPEDA
Provincial
Legislation
Personal Information
Protection Act
PRIVATE SECTOR NOTIFICATION (CURRENT)
No requirement
Provincial
Legislation
Personal Information
Protection Act
PRIVATE SECTOR NOTIFICATION (NEAR FUTURE)
PIPEDA (Coming
Soon)
Provincial
Legislation
Personal Information
Protection Act
PERSONAL HEALTH INFO LEGISLATION
Legislation
Currently seven
PHI laws. PEI
Health
Information Act
passed in 2014,
not yet in force.
No Legislation
PERSONAL HEALTH INFO NOTIFICATION
Legislation
w/notification
Legislation w/o
notification
PEI Health
Information Act
passed in 2014,
not yet in force,
will require
notification
No Legislation
PUTTING IT ALL TOGETHER
Notification
(Private Sector)
Notification (PHI)
Total of five laws
that include
notification
requirements
No Requirement
ALBERTA PIPA BREACH NOTIFICATION
•
•
•
•
In effect since 2010
Must notify Commissioner without delay if:
1. incident involving loss, unauthorized access to or disclosure of PI AND
2. reasonable person would consider there exists a Real Risk of
Significant Harm (RROSH)
Commissioner can order notification to affected individuals based on
RROSH (usually not required as individuals are already notified)
Failure to follow order can result in max fine of $100,000
RROSH: THEORY
1
Must be “significant harm”:
• damage, detriment or injury
• Important, meaningful and more than trivial
• E.g., Fraud, humiliation, reputational harm
2
Must be a “real risk” harm will occur:
• More than mere speculation or conjecture
• Harm must flow from breach (i.e., must be cause and
effect)
RROSH: PRACTICE
•
•
Threshold is low: e.g., stolen list
of names & email addresses
creates RROSH due to possibility
of phishing
Example of no-RROSH: Personal
information briefly exposed on a
corporate intranet, quickly
rectified, audit log shows no
access occurred
No RROSH
(19)
No Jurisdiction
(14)
2015-2016:
125 Decisions
RROSH
(92)
PIPEDA BREACH NOTIFICATION
•
•
•
•
Not in effect yet (likely 2018); ISED required to pass implementing
regulations
Similar to Alberta PIPA - must notify Commissioner and affected individuals
if:
1. Breach of security safeguards AND
2. Reasonable to believe RROSH exists
Additional record-keeping requirements: record every breach of security
safeguards (even if no RROSH) and provide records to Commissioner on
request
Failure to report is an offence; possible fines up to $100,000
HEALTH PRIVACY BREACH NOTIFICATION
•
Four of seven health privacy laws require notification (NB, NL, NS, ON)
•
Specific definitions vary; generally refers to the loss of, unauthorized
access to or unauthorized disclosure of personal health information
•
NB, NL and ON require notification to Commissioners as well as individuals
•
NB, NL, NS include exemptions from notification based on no reasonable
expectation of harm
INTERNATIONAL: U.S.
•
•
•
•
•
•
•
•
Laws in 48 states, plus D.C., Guam Puerto Rico & Virgin Islands
Many apply to governments as well as businesses
Generally more prescriptive and limited definition of personal information
than Canada (focus on fraud and identity theft)
Most apply to electronic data only (Canada applies to all forms)
Most include harms test (as does Canada)
Approx. half require notification to AG
Approx. one-third specific required notification elements (as does Canada)
Some include “safe harbor” for loss of encrypted data (this is a factor in
RROSH)
INTERNATIONAL: EU GDPR
•
•
•
•
•
GDPR in effect May 2018 applies data controllers & processers
Will likely apply if: 1) you do business with EU citizens; or 2) you process
data of EU citizens on behalf of EU business
Controllers must notify DPP of “personal data breach”, defined as “breach
of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data”
Notice must be provided without undue delay and no more than 72 hours
unless reasoned justification for delay
Notice to DPP not required if “the personal data breach is unlikely to
result in a risk for the rights and freedoms of natural persons”
INTERNATIONAL: EU GDPR
•
•
•
Controllers must also notify affected data subject if breach “is likely to
result in a high risk to the rights and freedoms of individuals”
Exceptions if data is rendered unintelligible (e.g., encryption), or other
measures taken to ensure risk will not materialize
Controllers must retain records of all breaches (regardless of whether
notification is required) and provide to DPP on request
BREACH CLASS ACTIONS
•
•
•
•
Significant increase in past 5 or so years; class actions are expected after
large breaches
No trials – precedence comes from class certification, settlement approval
and motions for summary judgment
Courts are skeptical of claims for breaches involving payment cards and
simple identifiers based merely on stress, anxiety arising out of potential
harm
Settlements typically involve fees for class counsel and fund for class
members who can demonstrate some form of harm
LOZANSKI V. HOME DEPOT
The case for Home Depot being culpable was speculative at the outset
and ultimately the case was proven to be very weak. The real villains
in the piece were the computer hackers, who stole the data. After the
data breach was discovered, there was no cover up, and Home Depot
responded as a good corporate citizen to remedy the data breach.
There is no reason to think that it needed or was deserving of
behaviour modification.
EVANS V. THE BANK OF NOVA SCOTIA
• Employee of Scotiabank selling/using customer info for fraud
(proof that fraud had occurred)
• Total of 165 class members received $7,000 each
• Scotiabank denied vicarious liability, but is an important issue with
so many snooping cases
Logistics
SCENARIO 1 – LARGE CANADIAN RETAILER
Background:
• Many records breached
• NOT a PCI breach (which is rare for a retailer)
• Assumption - internal staff with admin rights clicked on a
malware link via phishing email (non-targeted)
• PII stolen, no PFI or PHI taken
• Client decided to utilize U.S. based service provider for their
experience and capacity
• Privacy Commissioner already notified, clock is running
SCENARIO 1 – LARGE CANADIAN RETAILER
Challenges:
• Client wanted a Canada Post indicia, even at a higher price
– Mail forwarding partner needed
– Lead time added to an already tight timeline
• Potential large number of French calls to call centre
– English calls outsourced, French calls handled in-house
• Limited credit monitoring offers available
– No PFI (SIN’s) breached, do we even offer?
– Only two bureaus in Canada
– Pricing and services varies (especially on two bureau)
SCENARIO 1 – LARGE CANADIAN RETAILER
Lessons Learned – Be Prepared:
• All organizations should have (not necessarily on retainer) at the
ready:
– Law Firms experienced in data breach management (breach
coaches)
– Data forensic firms experienced in breach investigations
– Crisis management capable Public Relations firm (if no internal
resources)
• If your organization holds a lot (>1,000 records?) of PII, PFI, PHI,
etc. have the following providers lined up ahead of time:
– Mail and/or email notification providers
– Call centre services
– Credit monitoring and identity theft service providers
SCENARIO 1 – LARGE CANADIAN RETAILER
Lessons Learned - Insurance:
• Consider speaking to your insurance brokers about purchasing
cyber insurance:
– Many or all of the costs above are covered (after hitting your
SIR, or course)
– All reputable Canadian cyber insurers have dedicated Canadian
service provider panels
SCENARIO 2 – WORLDWIDE EXPOSURE
Background:
• Well known U.S. head quartered luxury goods and services
provider with worldwide exposure (Canada and E.U.
especially, but Asia and Australia as well)
• Client hit by an APT ransomware attack (targeted)
• Initially thought no exfiltration of data, further investigation
revealed that was incorrect. PII and PCI data stolen of
approximately 50,000 customers taken
• Due to “white glove” nature of clientele, mail & email
notification were chosen, along with 24/7 international call
centre services and credit monitoring for all
SCENARIO 2 – WORLDWIDE EXPOSURE
Challenges – Mail Notifications:
• 13 different languages (multiple translations and law
firms with differing opinions required)
• Some regions were resistant to sending PII overseas. Two
handled call centre and notification on their own
(although it came from U.S. budget)
• Multiple regions wanted local postage (at much inflated
costs) vs. generic indicia via mail forwarding partner
• U.K. division demanded A4 paper and envelopes. Bedford
based printer sourced at last minute at large expense
SCENARIO 2 – WORLDWIDE EXPOSURE
Challenges – Call Centre:
• Client wanted toll free calling for everyone, but the North
American Numbering Plan (NANP) only covers 25 regions
– At an extra expense, individual toll free numbers were acquired for
areas of high customer density (Hong Kong, Japan, China, etc.) which
then “pointed” to the generic call centre
– All other callers called direct local U.S. line – not ideal
• 35 different languages handled over 90 days
– Call-in translators utilized at a large expense
• Extreme cost to staffing call centre 24/7 over 90 days
• FAQ nightmare! Regional call centres were going “off script”
and causing problems. Have a standard offer for upset
customers.
SCENARIO 2 – WORLDWIDE EXPOSURE
Challenges - Credit Monitoring:
• Credit monitoring (as most Canadians and Americans know it) does
not exist in many jurisdictions!
• Many credit monitoring companies offer an alternative product
known as a “webcrawler” but beware - reputable credit bureaus
will only offer it in countries where it is allowed by privacy law.
Because it is web-based, others say it can be used anywhere but
risks are unclear.
• Identity theft services (lost wallet registry, identity
restoration/assistance, insurance) also vary country to country
SCENARIO 2 – WORLDWIDE EXPOSURE
Lessons Learned:
• Manage expectations ahead of time, especially if cost
control is important to you. While brand image is important,
not everyone can have the “white glove” treatment
• Notifications:
– Choose a provider with the ability to handle notifications
in multiple languages to multiple destinations. Be willing
to settle on a main forwarding solution
– Utilize email notification where appropriate and allowed
by law
SCENARIO 2 – WORLDWIDE EXPOSURE
Lessons Learned:
• Call Centre:
– For organizations with world-wide operations and/or client base,
pre-vet a call centre provider that has multiple languages and
potentially 24/7 service
• Credit Monitoring:
– Know what exists and who provides it in each country you have
clients. There is no one-size-fits-all solution
• Be prepared to cut a very large cheque (or have a very large
cyber insurance policy)!
THANKS FOR ATTENDING
Questions?
HOW DID THINGS GO?
(WE REALLY WANT TO KNOW)
Did you enjoy this session? Is there any way we could make it better?
Let us know by filling out a speaker evaluation.
• Start by opening the IAPP Events App
• Select this session and tap “Rate the Session”
• Once you’ve answered all three questions, tap “Done” and you’re
all set
• Thank you!