Earlier this year Nova Scotia’s information and privacy commissioner called on the province to pass a law requiring all firms under its jurisdiction to notify affected individuals of all privacy breaches involving a real risk of significant harm.
The government should consider that request more seriously now that it has been revealed that it took Dalhousie University seven months to finally notify 20,000 people — mainly alumni — that information about them was on a computer file that was accessible to the university’s faculty, staff and students between Sept. 16, 2016, to March 3 of this year.
The file had alumni, university friend and donor information, but apparently not financial information.
A letter sent to alumnus blamed it on an error by an employee.
According to an article yesterday in the Halifax Chronicle Herald, the problem was discovered in March but letters informing people started arriving only this week.
“We became aware that members of the university community were using this folder and may have used it to save information,” spokesman Brian Leadbetter told the newspaper in an email.
“In this particular case, we have notified individuals out of an abundance of caution. We have no evidence that the files were actually accessed. The files did not contain any government-issued ID numbers (e.g. social insurance number) or banking information (e.g. credit card or bank information).
“We sincerely apologize for this error. We take our obligation to protect the privacy of our stakeholders very seriously.”
The news report said a letter being sent by the university to those affected said the institution “became aware on August 17, 2017 that a file contained alumni, friend and donor information.
“To protect against the possibility of unwanted marketing, please be wary of unsolicited emails, calls, or direct mail. Please rest assured that we are doing everything we can to ensure the protection of your personal information.”
Among the recommendations in her annual report to the legislature in June, privacy commissioner Catherine Tully said the province should require notification to affected individuals and the Commissioner, without unreasonable delay, of all privacy breaches involving a real risk of significant harm.
The recommendation didn’t define “real risk of significant harm.” However, the only province in Canada that now requires data breach notification is Alberta, which does use that phrase in its legislation. In a document explaining how organizations should interpret the phrase the province’s information and privacy commissioner’s office says there are two tests: First, “there must be some risk of damage, detriment or injury that could occur to an individual as a result of the breach. For the harm to be significant, it must be important, meaningful and more than trivial consequences or effects.” The second test is to determine if a reasonable person would consider there is a “real risk” that the significant harm identified will occur to an individual.
Among the questions an organization should ask itself are
Who obtained or could have obtained access to the information?
Is there a security measure in place to prevent unauthorized access, such as encryption?
Is the information highly sensitive?
How long was the information exposed?
Is there evidence of malicious intent or purpose associated with the breach, such as theft, hacking, or malware?
Could the information be used for criminal purposes, such as for identity theft or fraud?
Was the information recovered?
How many individuals are affected by the breach?
Are there vulnerable individuals involved, such as youth or seniors?
Tully said any breach notification should specify content requirements for notification to individuals including details about the cause of the breach, a list of the type of data lost or stolen, an explanation of the risks of harm affected individuals may experience as a result of the breach, and information about the right to complain to the Commissioner.
In an interview this morning Tully said she was not contacted by the university on whether it needed to notify potential victims.”In Nova Scotia it’s quite unusual for public bodies to notify” after a breach of security controls, she added, “so Dalhousie did follow best practice when they notified affected individuals.”
Tully wouldn’t comment on the time it took for the university to send out letters because other than the news report she has no details. But, she added, “it is important that notification be sent out without unreasonable delay.” She noted the province’s health information law requires bodies holding medical information to send out breach notices “at the first reasonable opportunity.”
Most organizations would realize they have to notify potential victims if the data exposed has sensitive information such as passwords, bank account numbers, social insurance numbers and the like. But Tully said even a name alone could be sensitive in context — for example, if the name was a subscriber to specialty magazine that would indicate something personal.
Briefly, she agreed an organization should take the attitude “when in doubt, notify.”
“When a breach falls in the grey area, where it’s not obvious — it’s not medical or financial information [that’s been breached] — that you have to be methodical in working through what the risks are” to an individual.
But, she added, “sometimes you notify because it shows respect for the individual. It allows them to decide if there’s a risk to them when you can’t be certain what the risk might be … Sometimes organizations are going to notify because it’s important for their reputation that their stakeholders know that they are prepared to let individuals know when this happens.”