Page |1
Privacy Interviews with Experts
February 2012
Toronto / Washington DC / Brussels
www.nymity.com
Tamara Hunter
Associate Counsel, Head of the Privacy Law Compliance Group
Davis LLP
Canada
Are You Prepared To Respond To A Breach: When, Not If, It Occurs?
Many organizations still have not taken sufficient steps to prepare for the inevitable: an information security or privacy breach.
Some commentators have referred to 2011 as the “year of the privacy breach”. Most organizations will likely experience some form
of loss of (or unauthorized access to) personal information during any given year, either directly or indirectly through a vendor or
supplier. While not all of these data losses will be large or significant, one cannot easily predict the magnitude of the media and public
response. Responding under crisis can be very difficult.
Tamara Hunter, Associate Counsel with Davis LLP in Vancouver, British Columbia, and Head of the Davis LLP Privacy Law Compliance
Group has been working on privacy law matters with private and public organizations for many years. She has found that
organizations that put contingency plans in place for responding to an information security breach well in advance fare much better
when the inevitable breach occurs, as compared to those who have done no advance preparation.
Tamara shares with us what it means to weather a breach ‘better’, why preparation is key and some of the best practices in security
and privacy incident response programs.
Tamara has practised privacy law for over ten years. Her practice in this area began with public bodies who were subject to freedom
of information legislation, and quickly branched out when the federal Personal Information Protection and Electronic Documents Act
(“PIPEDA”) came onto the legal horizon, and, expanded again, when the British Columbia Personal Information Protection Act was
introduced. Tamara has assisted numerous private sector organizations with privacy audits and with finding ways to effectively and
efficiently comply with applicable privacy law. Tamara continues to advise public bodies regarding compliance with freedom of
information legislation and has represented numerous organizations, both public and private, before the Office of the Information
and Privacy Commissioner for British Columbia and before the Yukon Privacy Commissioner. Tamara has also appeared before the
Federal Court on a federal Access to Information Act matter and before the British Columbia Courts and the B.C. Human Rights
Tribunal on various privacy law cases.
Nymity: First of all, what is considered a security or privacy breach in Canada?
Hunter: Generally speaking, any time that personal information (that is, information about an identifiable individual) is accessed,
used or disclosed in an unauthorized manner, that would be considered a privacy breach or an information security breach. An
information security breach could, of course, involve confidential corporate information, rather than individual information - a breach
involving corporate information could be very serious and would constitute an information security breach, but it would not normally
be characterized as a “privacy” breach.
The proposed amendments to PIPEDA define “breach of security safeguards” as follows:
“the loss of, unauthorized access to, or unauthorized disclosure of, personal information resulting from a breach of an organization’s
security safeguards…”.
The Alberta Personal Information Protection Act also refers to “any incident involving the loss of or unauthorized access to or
disclosure of …personal information”.
Page |2
Nymity: From your experience, what types of breaches might occur that an entity might want to prepare for?
Hunter: There are many different possible kinds of information security breaches. The ones we frequently see in the media typically
involve a hacker accessing an organization’s data through electronic means, usually for criminal purposes. We also see stories in the
media about sensitive records found in dumpsters or blowing around on the streets because they have not been disposed of properly
and securely. Lesser-known examples might include: unauthorized changes to personal information held by an organization (for
example unauthorized change of a customer’s address so that the customer’s information gets mailed to an unauthorized person), a
staff member snooping in databases to view personal information of customers or fellow employees without a legitimate purpose, or
the loss or theft of a briefcase or PDA which contains personal information.
Nymity: What are the regulatory requirements for public and private entities when a breach occurs?
Hunter: Organizations subject to Alberta PIPA have an explicit positive obligation to notify the Alberta Commissioner where there has
been loss or unauthorized access or disclosure of or to personal information in circumstances where a reasonable person would
consider that there exists a real risk of significant harm to an individual as a result. The Alberta Commissioner will then decide
whether notice must be given to affected individuals and what other steps must be taken by the organization. There have been
numerous decisions of this nature issued by the Alberta Commissioner.
If the proposed amendments to the federal PIPEDA are passed by Parliament, organizations subject to PIPEDA (e.g.
telecommunications companies, airlines, banks) will also have an obligation to report a “material breach” of security safeguards to the
federal Privacy Commissioner.
In B.C., there is currently no explicit mandatory duty for a private sector organization to report an information security breach to the
Commissioner or to affected individuals. However, B.C. PIPA (like most other privacy legislation) obliges organizations to take
reasonable security measures to protect personal information. This means that, in many instances, an organization must assess
whether to notify affected individuals when a breach has occurred in order to prevent further unauthorized access or harm occurring.
For example, an individual who is notified that their deposit account information at a provincially-regulated financial institution has
been subject to unauthorized access, may be able to take steps to close that account and thus avoid further potential consequences.
A failure to notify that individual may be a breach of the general obligation to secure personal information, even where there is no
explicit obligation to notify individuals in the event of a privacy breach.
Ontario’s Personal Health Information Protection Act also contains an express breach notification requirement in relation to personal
health information.
Public bodies and service providers to public bodies must also be aware of “internal” breach notification requirements. For example,
B.C. FOIPPA, s. 30.5, requires employees, officers and directors of public bodies, as well as service providers, to immediately notify the
head of the public body when there has been an unauthorized disclosure of personal information in the custody or under the control
of the public body. Similarly, service providers to public bodies may be subject to contractual obligations to immediately notify the
public body when an information security breach has occurred. For that matter, service providers to other businesses may also be
subject to contractual obligations to notify their client of information security breaches.
Nymity: What about best practices for public and private entities when a breach occurs?
Hunter: The best practice is to develop an information security breach response plan before any breach occurs. However, the key
steps in responding to an information security breach are: 1) containing the breach (e.g. seeking the return of records, shutting down
the system that was breached, correcting weaknesses in physical, technological or operational security to the extent this can be done
in the short term) 2) evaluating the risks associated with the breach (e.g. consider what personal information was involved, how
sensitive is the information, how could it be used by third parties, whether the information is encrypted or password protected, etc.)
3) notifying affected parties as necessary (this will involve a consideration of legal obligations (legislative, contractual, etc.) and
corporate values, as well as the practicalities involved) and 4) taking steps to prevent future breaches (e.g. fully investigating the
cause of the breach and taking steps to address this, such as changing policies and procedures, training staff, disciplining staff if
appropriate, etc.).
Page |3
Nymity: What is typically gained by putting in place an incident response plan that addresses a breach in advance? What risks are
mitigated?
Hunter: Developing an information security breach plan in advance will allow an organization to think ahead about what type of
information security breaches could occur and to develop a plan for responding to such breaches in a calm, methodical manner, with
the benefit of input from all appropriate departments of an organization and from appropriate outside professional advisers, rather
than being forced to respond quickly in a crisis situation, with limited resources and using whatever staff happens to be available
(while the media is waiting for you to respond and irate customers are demanding answers!).
The biggest risk that is mitigated by such preventive, proactive steps is the risk of reputational damage to your organization. Other
risks that are mitigated include the risk of increased legal liability (for example, if the breach is not “contained” quickly enough) and
the risk of a full investigation being done by the Commissioner’s office (and the associated cost and drain on staff resources that
accompany such an investigation) if the Commissioner’s office is concerned that your organization is not taking appropriate steps
quickly enough to address the breach.
In my own practice, I am aware of a private sector organization that did have a contingency plan in place for a potential information
security breach. When that organization was faced with a simple human error by an employee that resulted in some customer’s
financial information being inadvertently sent to the wrong recipient (and that also resulted in media coverage), the organization was
able to deal with the situation very methodically, effectively and quickly. The organization decided to voluntarily advise the applicable
Commissioner’s office of the situation and of the organization’s response. The Commissioner’s office then did a brief investigation
and ultimately issued a letter to the organization commending the organization on its response. While this matter was undoubtedly
stressful for the organization, it was not nearly as stressful as it would have been if they had not done advance planning for this
contingency. Also, the costs to the organization were minimized in this situation.
Nymity: What are some of the consequences of not putting in place that plan in advance?
Hunter: Being caught flat-footed when a breach occurs, with no clear idea about what to do, how to do it or who to contact, and thus
being slow and ineffective in your response. Failing to meet statutory or contractual obligations and incurring augmented legal fees
and reputational damage as a result. Losing the trust of your customers. Suffering a decline in employee morale. Facing a class
action brought by angry customers.
Nymity: What does an incident and breach response plan typically include?
Hunter: A response plan would normally include things like:
·identifying the individuals within your organization and the outside professional advisers who should be on your organization’s
breach response team (it even helps to address little things, like having all the contact information for these people compiled and
easily accessible in a breach response “kit”, given that information security breaches seem to follow Murphy’s Law, in that they often
happen in the middle of the night on weekends and holidays!)
·compiling a record (e.g. a table) of the different types of personal information held by your organization and their relative sensitivity,
as well as the security measures in place to protect such information (e.g. you should be able to quickly determine whether
information that has been compromised is encrypted, protected by passwords, etc., whether an audit report is available to identify
when and by whom the information was accessed, and be able to provide answers to technical questions about these matters)
·developing a clear understanding of the flow of personal information through your organization and out to other organizations, and
of the mechanisms and safeguards that are in place at different stages in this flow - for example, you will want to be able to quickly
put your hands on any applicable resources or documents relating to this if a breach occurs (e.g. an audit report showing who
accessed which data at what time, or a contract between your organization and a service provider or end user containing information
security provisions);
·developing a list of options and mechanisms for containing a potential breach;
·developing a list of factors to consider when evaluating the risks associated with a breach - this will assist you when a breach occurs
with determining what responses and notifications are required
Page |4
·develop a plan for notification, if this becomes necessary when a breach occurs. Consider what individuals and organizations might
need to notified in the event of various types of information security breaches? how would your organization go about doing this
notification? What types of notification should be considered in what circumstances (e.g. telephone calls, letters, public notices on
websites or in media, etc.). This would include things like determining what legislative or contractual notification requirements would
apply in various scenarios and developing draft communications that will give you a “head start” in a real breach situation.
When you consider this list, it becomes apparent that developing a breach response plan may also alert you to potential gaps or risk
areas in your organization’s privacy compliance.
Nymity: What does it take to put such an incident and breach response plan in place?
Hunter: It takes the will of the organization’s leaders to make that happen - if they visibly put value on that kind of preparation and
provide appropriate resources and support to their key managers and department heads, the rest will follow, especially if the
organization has a Privacy Officer who can coordinate the process. It will be important to assemble a contingency plan team that
includes the organization’s Privacy Officer and key people from all relevant areas of an organization - examples include: legal,
marketing, administration, technology, physical security, and communications. Outside professional advice may also be valuable.
The B.C. Information and Privacy Commissioner has a number of useful planning documents on its website. This is a good place to
start.
These interviews are provided by Nymity as a resource to benefit the privacy community at large. The interviews represent the points of view of the interview subjects and Nymity makes no guarantee as to
the accuracy of the information. Errors or inconsistencies may exist or may be introduced over time as material becomes dated. None of the foregoing is legal advice. If you suspect a serious error, please
contact [email protected].
All interviews are copyrighted. No re-posting of them or distribution without permission.