privacy breach guidelines - torys llp · 2 what is a breach? “a privacy breach occurs when there...

© 2013 Torys LLP. All rights reserved.

Privacy Breach Guidelines:

Post-Breach Best Practices

Pat Flaherty and Molly ReynoldsManaging Privacy Compliance – March 7, 2013

Overview

• What is a “breach”

• Costs of breaches to Organization

• Red Flag Scenarios

• Breach Response

• Class Action Risks

1

2

What is a Breach?

“A privacy breach occurs when there isunauthorized access to or collection, use, ordisclosure of personal information.

Such activity is “unauthorized” if it occurs incontravention of applicable privacy legislation,such as PIPEDA, or similar provincial privacylegislation.”

3

Costs to Organizations whenPrivacy Breaches Occur

> Damage to Reputation

> Litigation Risks: potential for liability and costs

> Management Time/Preoccupation to Responding

> “Compensation” to Third Parties

> Recovery of lost data

> Repair/overhaul of IT systems

Risks to Organizations whenPrivacy Breaches Occur

• Reputational Risk:

> Privacy Commissioner Uses it• Aeroplan• TJ Max• CIBC• Ryerson• Daimler Chrysler Financial Services• National Bank Financial• Sony PlayStation

4

Litigation Risks

• Threat of Class Action Proceedings

> Increased risk of mass and other breaches asinformation collection and transmission becomesmore pervasive and automated

> Damages may be awarded for “any humiliation thatthe complainant has suffered”

> Risks compounded by growing potential for classactions and perhaps by the evolution of common lawtort of “intrusion upon seclusion” (Jones v. Tsige,OCA 2012)

5

Litigation Risks cont.’

> The number of individuals that might be affectedby a PIPEDA contravention could be large

• difficulty in establishing identifiable class• difficulty in proving actual damages• But both the common law and interpretations of legislationsuch as PIPEDA and PIPA can change over time in responseto novel technology (Schindler Elevator Corporation, 2012BCIPC No. 25)

6

7

Red Flag Scenarios

Common factual scenarios associated with mass“breach” include:

• Stolen or lost property (laptops, blackberry, i-Phone, USB key)

• Poor business procedure or operational break-down

• Failed IT process

• Data transfer, including domestic and internationaloutsourcing

8

Recent Examples of MassBreach and Lessons Learned

• PIPEDA Case Summary #289 - Stolen Laptop

• CIBC/Talvest

• Ryerson University

• DaimlerChrysler Financial Services

• TJX (Winners/Homesense)

• Heartland

• Sony PlayStation

9

Mandatory Breach Notification inProposed PIPEDA Amendments

> Re-introduced as Bill C-12 and now beingdebated at first reading

> Significant Amendment

• Mandatory breach notification (to Privacy Commissioner

and affected individuals in certain circumstances)

> Outside of personal health information, only Albertacurrently has mandatory private sector breachnotification

• APIPA (s.34(1)) requires notification to the AlbertaInformation and Privacy Commissioner of breach where thereexists a real risk of significant harm to an individual

10

PIPEDA Amendments – MandatoryBreach Notification

• Breach Notification to Individuals Affected

> where it is “reasonable” to believe that thebreach creates a “real risk of significant harm tothe individual”

> guidance on test

• sensitivity of the information

• probability that the information has been or will bemisused

• specific circumstances where notification required

11

Proposed PIPEDA Amendments –Mandatory Breach Notification

• Requirement to notify Privacy Commissioner of“material” breaches

> guidance on factors relevant to determiningmateriality:

• Sensitivity of the information

• Number of individuals affected

• Organization’s assessment of whether breachindicates systematic problems

Mandatory Breach notificationin Europe

• European Union e-Privacy Directive 2009/136/EC

> Mandatory Breach Notification for publiccommunications providers

• Individuals - adverse affect

• National Authority - without undue delay

> Not required where data rendered unintelligible

13

Responding to a Privacy Breach

PCO Guidelines for Breach Responses

1) Breach Containment and Preliminary Assessment

> Immediate steps to contain the breach

> Notify police if applicable

> Escalate internally; build a team to deal with breach

> Involvement of Legal Counsel

14

Responding to a Privacy Breach

PCO Guidelines for Breach Responses (2007)

2) Evaluate the risks associated with the Breach

> Was personal information involved?

> Cause and Extent of Breach

> Individuals affected

> Foreseeable Harm from the Breach

> All part of making determination on notificationobligation under 2012 Amendments to PIPEDA

15

Responding to a Privacy Breach

PCO Guidelines for Breach Responses

3) Notification

> Notifying affected individuals

> When and how to notify; who should be notified?

> What should be included in the notification?

> Others to contact (i.e. Privacy Commissioner, police, insurers,etc.)

> PIPEDA 2012 Amendments require notification where it is“reasonable” to believe that the breach creates a “real risk ofsignificant harm to the individual”

16

Responding to a Privacy Breach

PCO Guidelines for Breach Responses

4) Prevention of Future Breaches

> Develop/amend Breach Prevention Plan

> Security Audit

> Review policies

> Train employees

> Review service providers

> Continual monitoring of compliance with policies.

17

Role of the Privacy Commissionerin the event of a breach

• Open “incident” file

• Monitor incident

> less in-depth than an investigation

• Will require the following information:

> what happened

> what steps are being taken to address the situation

> what has been done to mitigate a recurrence

> whether affected individuals have been notified

• May make suggestions to the organization

18

When to notify the Office ofthe Privacy Commissioner(For Now)

• Voluntary reporting to the Commissioner in Canada(2012 amendments formalize this)

• PCO Guidelines: report “material” breaches

• Considerations when to report:

> legislation requiring notification

> personal information subject to privacy legislation

> type of personal information

> number of people affected by the breach

> whether the affected individuals have been notified

> if the PCO would likely receive complaints

19

How to notify the PrivacyCommissioner of a Breach

• Privacy Breach Incident Report:http://www.priv.gc.ca/resource/pb-avp/pb_form_e.pdf

• Can be reported by mail, email or fax

20

Role of the Privacy Commissionerin the event of a breach cont’d

• On rare occasions, the Privacy Commissioner mayturn an incident file into a complaint investigation:

> serious breach;

> systemic breach; and/or

> inadequate response to the breach.

21

PIPEDA: Sanctions and Compliance

> PCO has no statutory enforcement power

• Can investigate breaches and issue reports

> If the Privacy Commissioner finds a breach, theCommissioner may:

• Prepare a report that contains the Commissioner’s findings,settlement reached by the parties and any relevant requestregarding actions or proposed actions to be taken to implementthe report’s recommendations (thereby publicizing the breach)

22

PIPEDA: Sanctions and Compliance

• apply to a court for a hearing if the Privacy Commissionerhas the consent of the complainant

• appear before a court on behalf of any complainant who hasapplied for a hearing

• with leave of a court, appear as a party to a hearing

A court may, in addition to the other remedies it may give, order an

organization to:

• correct its practices

• publish a notice of any action taken or proposed to be taken to correct itspractices, whether or not ordered to correct them

• award damages to a complainant, including damages for any humiliationthat the complainant has suffered (2 cases to date: $1500-$5000)

23

Potential elements of aPrivacy Breach Response Plan

• consult legal counsel

• commence internal investigation intocircumstances surrounding breach (with counsel)and police if necessary

• inform relevant directors, officers, personnel ofbreach

• notify individuals whose privacy has beenbreached

24

Potential elements of aPrivacy Breach Response Plan

• consider pre-emptive notice to regulator(s)

> regulators may give input whether “likely tocause significant harm”

• minimize damage to organization’s reputation bydeveloping public relations position andappropriate communications strategy

• learn from current breach to help prevent similarbreaches in future

25

Other mitigation strategies:Privacy Insurance

• Privacy Breach Insurance is available

• Risks Typically Insured:

> Crisis Management and Notification Expenses

> Third party Liability

• Typical Exclusions:

> Losses Covered under other policies

> Misconduct exclusions

26

How to prevent PrivacyBreaches

• Develop internal policies and best practices for thecollection, use and retention of personal data

• Make it easy for individuals discovering a breachto report it

27

Best Practices for Data Collectionto Prevent Privacy Breaches

• Limit collection to that which is demonstrably necessary.

• Describe the types of personal information collected and thereasons for the collection.

• Clearly identify where information that is being sought isoptional.

• Explain the uses and disclosures that will be made of thepersonal information, including if it will be:

> shared with other companies, including related companies

> shared with service providers, and whether the information maybe stored or processed outside Canada

> specifically include right to disclose in connection with a sale ofassets

28

Best Practices for Data Use andDisclosure to Prevent Privacy Breaches

• Knowledge and consent of individual is required.

• Limit use and disclosure to that which isdemonstrably necessary.

• Personal information should not be used ordisclosed for purposes other than those for whichit was collected, except with further consent ofindividual or as required by law.

• Privacy policy should set out informationmanagement practices.

29

Best Practices for Data Retentionto Prevent Privacy Breaches

• Balance obligation to keep records and withimportance of limiting retention of personalinformation

• policy against leaving laptops in car or simplepassword protection is not sufficient

• sensitive info requires data encryption, capabilityfor remote destruction of data

• privacy disaster response plan

• employee awareness of issues of privacy

“Privacy” Class Actions

• Two primary circumstances:

> Claims arising from mishaps/crime

> Claims challenging business practices

• Causes of Action Asserted:

> negligence

> breach of PIPEDA or other statutory obligations

> “intrusion upon seclusion” tort has come, but notnecessarily tenable as basis for class claim formass breach because of need to prove intent (atleast recklessness) rather than negligence

30

Privacy Class Actions: Claims arisingfrom mishaps

• unintended disclosure of personal information

> US: Pinero v. Jackson Hewitt Tax Service Inc.

> US: AOL sued for alleged breaches of federal electronic privacy lawafter temporarily and accidentally posted nearly 20 million keywordsearches of approx. 658,000 AOL members on a public website

> Canada: Class action against Correctional Services Canada, USB keycase and DaimlerChrysler Financial Services Canada

> US: Financial institutions have been plaintiffs as well as defendants – inmassive Heartland security breach, major credit card companies settledfor an aggregate ~$110M. Banks also filed statements of claimhowever their claims were ultimately dismissed

31

Privacy Class Actions: Arisingfrom crime

• Computer crime can result in major data breaches

> Sony Playstation (April, 2011)• delay in notification cited by PCO as troubling

32

Privacy Class Actions: Arising frombusiness practices

Allegations fall into one or more of these categories:

1. company acquired, used or disclosed customers’personal information without prior authorizationor consent

2. company contravened privacy policy

3. company diverted users’ private data to thirdparty providers of targeted advertising for profit

33

Privacy Class Actions: Arisingfrom business practices

• US: Facebook, Google

• Canada: Union de Consommateurs v. Bell Canada

> Law still developing; most claims at early stages

> Many of privacy class actions in the US are basedon statutory causes of action that are not availablein Canada (e.g. cause of action for damages forspecific misuses of technology)

> CASL penalties (discussed earlier)

34

Class Actions: PrivacyDamages

• infrequent that data breach causes actual financial loss (other thanto financial institutions who indemnifies customer)

• Courts wrestling with the notion of damages for anxiety of risk ofloss: Quebec Court refuses to certify loss of data class claim forother than pecuniary loss (LaRose c. Banque Nationale du Canada)

• PIPEDA provides for damages for “humiliation” for breach of certainparts of Act (only 2 cases, low damages extreme circumstances)

• new tort of “intrusion upon seclusion” permits damages for non-pecuniary loss, but claim is for deliberate intrusion, not negligenceas currently cast (though prospect for claim based on recklessness )

35

www.torys.comTorontoNew York

416.865.0040212.880.6000