What happens if Tech Co. is hacked or experiences a data breach in some other way?
I've had nightmares like this. As a lawyer, I store intensely personal information I've collected from my clients on my machine.
What would I do if that information was taken?
What am I required to do under the law?
Lawyers have a duty to report a breach that results in a compromise of client confidentiality - any breach. I have to contact my insurance company, email all my clients to tell them of the breach, and advise them that they are in a position to sue me for breach of confidentiality. In the real world, I would also have a BIG glass of scotch before contacting my insurer (but I digress).
This requirement stems from a code of conduct applying to lawyers under the law governing lawyers in my province.
I know where lawyers stand - BUT... we're not all lawyers.
Q: What if Tech Co. experiences a data breach?
In Canada we have three federal privacy laws, the Privacy Act, the Personal Information Protection and Electronic Documents Act (PIPEDA), and the shiny new Digital Privacy Act (DPA).
The Privacy Act applies to various federal government departments, whereas PIPEDA applies to private sector organizations. Simply put, this legislation sets the rules for organizations regarding the collection, use, and disclosure of personal information.
Q: Does Tech Co. have a duty to report a data breach?
Yes... maybe.
The DPA amended PIPEDA to be more in line with the notice requirements already in place in some provinces (Alberta for example) (note: the DPA received Royal Assent - meaning it became law - on June 18, 2015).
Alberta's Personal Information Protection Act requires organizations who have experienced a data breach to report a data breach to the Alberta Privacy Commissioner "where a reasonable person would consider that there exists a real risk of significant harm to an individual" as a result of the breach. The Commissioner will then decide whether or not the individual should be notified. It is important to note "risk of significant harm" is not defined in the Act; however, a supporting document refers to fraud, identity theft, physical harm, hurt, humiliation, damage to reputation, and loss of business/employment opportunities.
Provincial legislation trumps PIPEDA where it exists - but in the absence of provincial legislation PIPEDA applies. For example, Nova Scotia, where I practice, does not have comparable legislation; therefore, PIPEDA applies in all her... glory.
Under the new PIPEDA, Tech Co. is now required to notify the Privacy Commissioner of Canada of any "breach of security safeguards" of information under Tech Co.'s control if it is reasonable, in the circumstances, to believe the breach creates a "real risk of significant harm to an individual."
Let's unpack that.
- “breach of security safeguards” = loss, unauthorized access, or unauthorized disclosure of personal information resulting from a breach of an organization’s security safeguards OR from a failure to establish those safeguards;
- “significant harm” = bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, damage to credit, and damage/loss of property; and
- "real risk" is determined based on the sensitivity of the information involved, the probability of it being misused, and other factors.
This harm isn't limited to physical harm, there's a lot of wiggle room in the definition. Basically any breach of data could reasonably be said to trigger the duty for Tech Co. to notify their clients of a data breach.
Breaches of information security are no longer private, in-house matters. They have the potential to be public - extremely public. Canadian companies (and US companies operating in Canada) take note if someone busts in and thieves personal information - you're on the hook for a few sheepish letters.
Letters lead to media attention. Media attention leads to RUIN. Excuse my mellow drama.
There is, however, one thing the act does not address.
Q: What if the information lost in the data breach is encrypted?
If the information is encrypted - you may not have to report it because it is not reasonable to think someone could read it, and if someone can't read it it's not reasonable to think the information poses a "real risk of significant harm to the individual".
Although the DPA amendments to PIPEDA are new. There is some suggestion that if encrypted data is somehow taken, a private organization may not have to notify anybody.
The Ontario Information and Privacy Commissioner has gone so far as to suggest that the loss or theft of a device containing encrypted personal information would not generally be considered to be a loss or theft of personal information. I admit this was in the health information context - however, health information is, generally, treated as the most sensitive and personal information; the release of health data would likely pose the serious risk contemplated by PIPEDA.
Does this mean encryption saves you from any accountability? Not necessarily, but if Tech Co. were charged under PIPEDA for not informing a customer of a breach, the fact the data was encrypted opens up the argument that the breach did not pose a serious risk.
So, I'll give my usual advice to Tech Co.