Hot Issues in Privacy Law: Responding to Privacy Breaches

Remarks at the Ontario Bar Association Professional Development Program Session

June 8, 2009
Toronto, Ontario

Address by Elizabeth Denham
Assistant Privacy Commissioner of Canada

(Check against delivery)

Headlines about major data spills over the past few years have put renewed emphasis on the protection of personal information.

The scope of some of these breaches – more than 98 million payment cards put at risk in the TJX breach; 25 million people affected by the U.K. Revenue and Customs incident – was enough to keep regulators and business leaders up at night. 

Such high-profile breaches can also further fray consumer confidence, which is already tattered during these recessionary times.

Many governments are responding with mandatory breach notification legislation. In Canada, I am hopeful about our progress, but we’re not there yet.

It’s true that there is some controversy about how much we would gain from a mandatory breach notification regime.

The Centre for Information Policy Leadership, housed at Hunton & Williams LLP, argues that, based on the U.S. experience, breach notification laws won’t do much to combat identity theft.  In a report last year, the Centre noted that there was evidence of identity theft in only one of the 24 biggest publicly reported breaches in the U.S. between 2000 and 2005.

But more recent statistics show otherwise-according to the 2009 US Data breach report from Verizon Business, criminals nabbed 286 million in 2008; more than was stolen in the last four years.

Organized crime has moved into data theft in a big way. At the OPC, a disturbing number of self-reported breaches have resulted in fraudulent activity – most of which are inside jobs, not malicious attacks from outside hackers.

But issues other than fraud and identity theft are at stakes as well. A key objective of breach notification is promote better security. Good security is not just about preventing identity theft, it is about protecting people’s privacy.

When it comes to breach notification, the U.S. has really taken the lead.

California passed the first law requiring customer notification and virtually all U.S. states have now followed suit.

Last year, the Australian Law Reform Commission called on the Australian government to introduce mandatory data breach disclosure laws.

And the European Commission has been debating an e-Privacy Directive, which includes a data breach notification provision for public web service providers.

Here at home, Industry Canada has been working on a draft breach notification reporting regime, a step recommended by the Parliamentary committee that conducted a broad review of PIPEDA, our federal private-sector privacy law.

There are two parts to the regime – notification of individuals, and notification of the Privacy Commissioner’s Office.

We’re generally pleased with the proposed model: It is a more nuanced regime than most US states, is harm based and sensitive to the chanllenges posed by a broader definition of “data breach”.

With respect to our Office, organizations would be obliged to report any “material data breach” to us, and we’re fine with that wording. This means we will receive more notices than would go to individuals, allowing us to perform an important oversight and public policy role.

This regime would, of course, only affect organizations covered by the federal law, so Industry Canada has also been exploring the issues with provinces that have substantially similar privacy laws.

A common approach would make it easier for businesses to react following a breach.  It also ensures Canadian consumers enjoy the same benefits, no matter where they live.

Right now, Ontario is the only province with mandatory breach disclosure under its Personal Health Information Protection Act.

Alberta and British Columbia have also been reviewing their respective privacy protection laws, and legislative committees in both provinces have recommended adding notification requirements.

The Alberta committee, in fact, has gone so far as to propose making it an offence not to notify Privacy Commissioner of a security breach affecting personal information, where it is reasonable to do so.

In the absence of mandatory breach notification laws at the federal level, our Office has worked with consumer and business groups to develop a set of voluntary guidelines. 

The guidelines, outline key steps in responding to data spills, such as containing the breach or stopping the bleed; evaluating the risks; notifying people affected; and preventing future breaches.

We’ve also developed other tools to help organizations respond to a data breach, including a reporting form available online.

Last year, we have designated a “notification officer” in our Office, to ensure that breach reports arrive at one central place for attention and are handles in a consistent way.

In order to better understand the causes and consequences of data breaches, our Office has been analyzing the 136 breaches that were voluntarily reported to us between 2006 and 2008.

We found that the number of reported breaches rose from 23 in 2006, to 48 in 2007, and 65 last year.

This doesn’t mean there are more breaches; just that more of them are being reported to us after we published breach reporting guidelines in 2007.

Our data show that the banking industry accounted for the lion’s share of breach reports to our Office – more than three times as many as the next largest group, mortgage brokers.  

One explanation for this finding is that banks have adopted policies about reporting to our Office, other sectors haven’t.  Banks also have more personal information under their control and conduct exponentially more transactions than pretty much any other sector.

In our analysis, we categorized breaches in four different “buckets”.

Unauthorized access, use or disclosure of personal information, which requires a deliberate action or intent, was the most common type of breach reported to us over the study period, accounting for 36 percent of all incidents. These are the access without authorization breaches.

Accidental breaches, which accounted for just over 30 percent of the reports we received, included mailing foul-ups, improper disposal of personal information, e-mailing problems, and errors in faxing.

Theft of personal information was the third most common type of breach reported to us, accounting for nearly a quarter of the incidents that came to our attention. Laptops and other computers were stolen in about half the cases, and paper documents were swiped in the other half. This is  tricky category to analyze because it includes cases where the target of the theft was the laptop, not the data on the device. And organizations may not know which was targeted.

And, finally, the fourth category we defined was the loss of personal information stored on paper, digital storage devices, or audio or data tapes, where it was unknown whether the information was ever disclosed. Such losses accounted for one-tenth of the incidents reported to us. The CIBC Talvast data tape incident would fall into this category.

We also explored who was behind the cases of unauthorized access, use or disclosure of data, and what their motives may have been.

We found that staff at the organizations where the breaches occurred were to blame in two-thirds of the incidents, and employees of third-party service providers accounted for a further 10 percent. In other words, rogue workers were responsible for nearly 80 percent of cases of unauthorized access, use or disclosure reported to our Office during this period.

Disturbingly, nine times out of 10, the motive was fraud.

We also took a closer look at the “accidental disclosure” class of incidents, and found that, in the vast majority of cases, it boiled down to simple human error.

That’s not particularly surprisingly, as to err is human. More astonishing is that fewer people were foiled by technology than you might expect.

In fact, the single most common boo-boo we found was – of all low-tech things – plain old misdelivery of snail mail, faxes and e-mail.

When we looked across all types of incidents, we noted that multiple factors often came into play. I will mention just a few of the leading ones here.

One of the most common issue we encountered related to inadequate computer system security, which played a role in all cases of unauthorized access, use or disclosure of personal information.

Technologies are constantly changing, so it is critical for organizations to ensure their security systems remain up to the task of safeguarding personal data. 

Deficiencies in the physical security of the premises where the personal information is kept also played a role, especially where theft or losses occurred.

And the third major issue was insufficient employee awareness or training, which obviously played a role in all those mailing and faxing foul-ups I mentioned earlier. A poll commissioned by our Office in 2007 found that only one-third of all businesses reported having trained staff about their practices and responsibilities under Canada’s privacy laws. 

This study was only a snapshot of a particular period. It doesn’t tell us how many breaches actually occurred because notification to our Office is not mandatory. For part of the study period, even our voluntary breach notification guidelines had yet been published. 

It may not have deep evidentiary value. Still, it does show us the kinds of factors that contribute to data spills, and I think we can draw some interesting conclusions and important lessons from it.

First, with misconduct by staff or third-party service providers playing such a prominent role, organizations should ensure their privacy and security policies are effective and vigorously enforced.

Second, it is vital that organizations address potential security gaps, both in terms of their physical space and facilities, and their electronic systems.

And third, ongoing employee training and awareness are paramount, in light of the many cases where human error led to data spills. And remember that most of those errors were strikingly low-tech.

I want to emphasize that, during this economic slowdown, businesses looking to cut costs must resist the urge to scrimp on security and privacy protection.

At a time when criminals are more likely to be looking for vulnerabilities to exploit, corporate belt tightening on security may be counterproductive. Studies have shown that it’s much cheaper to get security right in the first place than to mop up after a data breach later.

We are, however, encouraged by the fact that many businesses have expressed to us their commitment to privacy, which they view as a competitive advantage.

When we learn about a breach, whether it is self-reported or reported by another source, we open a file.  We call these “incidents.”

An investigator will then monitor the incident – this is not as in-depth a process as an investigation.

Basically, we will want to know what happened; what steps are being taken to address the situation; what has been done to mitigate a recurrence; and whether notification to individuals has occurred or been considered.

We may make suggestions to the organization. There is a lot of expertise within the Commissioner’s offices.

We do not issue findings, but you will receive a letter from us when we close the file.

Reporting to us is not a get out of jail free card!

There are times when an incident file is turned into a complaint investigation.

This can occur when the OPC receives a complaint from an individual about the breach.

On occasion, the Commissioner may initiate a complaint on her own motion. This happens only in exceptional circumstances, where, for example, the breach is very serious, appears to be systemic or the organization does not appear to be responding adequately.

We have recently initiated 3 audits related to a systemic issue that appears to involve criminal activity across an industry sector.

I also want to underline that, in the absence of a mandatory reporting regime, we are apt to view those organizations that voluntarily report to us in a positive light.

Those that don’t come forward, I suspect, may be concerned about the potential for bad PR or enforcement action by our office.

Organizations may also be reluctant to report breaches out of fear that information they provide to us in confidence may be disclosed under the Access to Information Act.

The fear may be exaggerated. Here’s how it works:

Until an incident review is completed and all possible appeals are exhausted, access to all information on the file is refused.

Once the incident review is finished, then the Access to Information Act requires that we consider releasing certain information – but only material, such as memos, reports and notes to file, that our Office created during the investigation,.

Information provided by the respondent organization during an investigation or audit is exempted under Section 16.1 of the ATI Act, even after the investigation is finished.  The scernio is different in a full investigation where a letter of finding is issued.

Similarly, if there is broad public interest in an incident, and if it has already been discussed in the media, we may, at the conclusion of the investigation, also disclose information from our reports that we created. However the ATI Act allows us to exempt certain portions of that information, such as accounts of consultations and deliberations and personal information and proprietary business information.

As I look towards the future, I continue to be confident that Parliament will move soon on a mandatory breach notification regime. Certainly, the idea received strong support from Members of Parliament of all political stripes during the committee review of PIPEDA.

While that alone is not going to eliminate data breaches, it will surely increase the accountability and investments of organizations for safeguarding the personal information entrusted to them.

Meantime, our Office is positioning itself to deal with what we expect will be an increase in breach and incident review. We have already taken a number of steps, including issuing guidance, hiring more investigators, and re-engineering our investigative processes.

We have also commissioned research aimed at giving us a better handle on what we should expect going forward.

Among other things, the research, which we hope to see in the next few months, should give us insights into the kinds and volumes of incidents we might see under a mandatory breach notification regime.

We will be talking to industry groups to explore their role in managing issues around data spills – from prevention and notification through mitigation.

And we’re reviewing how our Office can help in this evolution, whether that’s to further boost public awareness, or to contribute to public policy development through the capture of data and trend analysis.

We are well aware of the challenges for regulators in implementing the regime.

We look forward to continuing the dialogue and  welcome your thoughts on these and any other issues you wish to talk about.

In the meantime, I will leave you with a final slide containing some of our information related to privacy breaches. Our door is always open!

Available at www.priv.gc.ca:

Breach Notification Officer:

  • By e-mail: notification@priv.gc.ca
  • By phone: (613) 947-1698 or Toll-free: 1-800-282-1376
  • By mail: 112 Kent St., 3rd Floor, Ottawa, ON, K1A 1H3