[BreachExchange] Cybersecurity Data Breaches and Mandatory Privacy Breach Reporting: Lessons from Alberta

[Audrey McNeil]

http://www.jdsupra.com/legalnews/cybersecurity-data-breaches-and-61996/

In an increasingly interconnected and digitized world, data breaches have
become ever more common. The wealth of personal information that
corporations have in their possession means that such breaches can occur in
even the most benign circumstances. Although many corporations have
developed sophisticated privacy and cybersecurity protocols to minimize
these risks, data breaches have become a feature of 21st century life.

With respect to cybersecurity breaches that involve personal information,
many governments have placed the onus on corporations to be transparent
about such breaches and notify appropriate public authorities whenever they
arise. Different methodologies abound, but Canadian jurisdictions are
increasingly adopting mandatory breach reporting requirements into their
legislation to accomplish this end.

Alberta is currently the only Canadian jurisdiction that imposes mandatory
privacy breach reporting requirements on private sector organizations.
However, similar requirements will soon be coming on the federal level.

ALBERTA LEGISLATION

As its name suggests, mandatory privacy breach reporting is an obligatory
process. It requires an organization that experiences a privacy breach to
notify the applicable authority and, if necessary, affected individuals of
the breach.

Alberta’s private sector mandatory privacy breach reporting requirements
are set out in its Personal Information Protection Act (PIPA). Section 34.1
of PIPA requires organizations to notify the Office of the Information and
Privacy Commissioner (Alberta OIPC) of any incident “involving the loss of
or unauthorized access to or disclosure of the personal information where a
reasonable person would consider that there exists a real risk of
significant harm to an individual.” Once notified of a breach, the Alberta
OIPC reviews the information and determines whether to notify affected
individuals. That being said, many organizations adopt a proactive approach
in such circumstances and notify individuals well before any such order
from the Alberta OIPC.

For organizations involved in the public health sector, it should also be
noted that a mandatory breach reporting requirement will soon come into
force under Alberta’s Health Information Act (HIA). Per section 60.1 of the
HIA, organizations will have a duty to notify the Alberta OIPC and the
minister of health whenever there is a loss of individually identifying
health information if there is a real risk of significant harm to the
individual. The exception to notification under this provision is where it
could reasonably be expected that the notification would result in a risk
of harm to the individual’s physical or mental health.

FEDERAL LEGISLATION

Mandatory breach reporting requirements will also soon be coming into force
under the federalPersonal Information Protection and Electronic Documents
Act (PIPEDA). Under section 10.1 of PIPEDA, organizations will be required
to notify individuals and the Office of the Privacy Commissioner of Canada
(Canadian OPC) where “it is reasonable in the circumstances to believe that
the breach creates a real risk of significant harm” to the individual.
Organizations will also be required to notify other organizations (e.g.
credit bureaus) and the government if such notice could reduce risks or
mitigate harm and keep a record of every breach of personal information
under their control (upon request, such records must be provided to the
Canadian OPC). A failure to abide by these new PIPEDA protocols is
punishable by a fine of up to C$100,000.

RECENTLY REPORTED DATA BREACHES IN ALBERTA

In the limited time since mandatory breach reporting was first implemented
in Alberta in 2010, there have been a host of data breaches that have
triggered these requirements. Through the years, the primary principle that
can be drawn from these instances is that breaches can occur in a multitude
of ways. A brief overview of three recent decisions from the Alberta OIPC
illustrates this point:

Cowboys Casino: Hackers compromised the casino’s computer systems and stole
over 6.5 gigabytes of sensitive personal information of employees and
customers. The hackers threatened to release the information unless they
received a ransom.
Godiva Chocolatier of Canada Ltd.: An employee’s suitcase containing a
password protected (but unencrypted) laptop was stolen from a rental car in
Texas. Personal information may have been contained in the laptop. Over 100
Alberta residents were affected by this incident.
Big Fish Games: In this case, malware was installed on the organization’s
online purchasing system. This malware appeared to intercept the payment
information of some of the organization’s customers. Over 350 individuals
in Alberta were affected by this incident.

With mandatory breach reporting legislation coming into force federally, it
is likely that a similar range of data breaches will be seen in that
jurisdiction as well.

PRACTICAL CONSIDERATIONS

It is important that organizations adopt a proactive approach to combatting
potential data breaches. Most often, this begins with the development and
implementation of a privacy management program. Helpfully, the Canadian OPC
and its provincial counterparts in Alberta and British Columbia have
jointly created a comprehensive document, Getting Accountability Right with
a Privacy Management Program, to aid in the development of such programs.

By way of summary, this document sets out the following foundational
principles for an effective privacy management program.

Organizational commitment: It is essential that organizations commit to
implementing privacy management protocols. To this end, management should
actively support privacy initiatives and should even designate a privacy
officer to oversee these matters. Such “top-down” involvement is crucial in
creating a culture of compliance.
Program controls: Organizations must assess what types of personal
information they hold and determine how they utilize it. In doing so, they
can determine what mediums need to be employed to protect the information
and then craft their policies accordingly.
Risk assessment tools: As privacy requirements change in jurisdictions over
time, organizations should conduct risk assessments periodically to ensure
that all aspects of applicable legislation are complied with.
Training and education: By properly educating staff to understand how to
assess privacy risks and respond to potential data breaches, organizations
can minimize damage if and when it arises and save significant resources
over time.
Breach and incident management response protocols: In the event that a
breach does occur, organizations should have a procedure and a team in
place to manage the response.
Service provider management: Organizations should be conscious about how
the personal information they retain is handled by third-party service
providers. This consideration is especially relevant if the third party
operates in a foreign jurisdiction.
Ongoing assessment and revision: In addition, organizations should
regularly review their privacy policies and protocols to ensure they are up
to date. Through such monitoring, any concern can be documented and—if
necessary—addressed.

By basing a privacy management program on these principles, organizations
can develop strong internal policies that will not only comply with
upcoming mandatory breach reporting legislation but safeguard organizations
from potential data breaches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161021/3d93f98e/attachment.html>