The biggest mistake Canadian businesses make after a data breach is not facing up to it, says two experts at a privacy conference.
“There is that natural to want to sweep it under the rug, to see if this is something we can make go away internally,” Fazila Nurani, senior counsel and lead consultant at PrivacyTech, a Thornhill, Ont., consultancy which advises firms and governments on privacy strategy, said in an interview.
“And I think that’s a big mistake because it delays the whole [response] plan. So being up front about it allows you to get the right people involved – because if you’re trying to keep it quiet you’re just not able to get your fact-finding done as quickly as it should be.”
Shaun Brown, a partner in the Ottawa law firm nNovation, made similar remarks.
“I think it is common for Canadian companies – especially when you’re dealing with small and medium size businesses, sometime larger companies as well — they don’t appreciate the significance of a data breach, or they may not understand there has been a breach. And a lot of it comes back to not understanding the breadth of personal information (they hold). I’ve seen this before — It may be a list of names and email addresses and they think its not a big deal, but that’s personal information that our (information) commissioners believe can result in a real risk of significant harm and notification (of victims) needs to occur.”
Both were interviewed this week in Toronto at the annual International Association of Privacy Professionals (IAPP) convention, where Brown was on a panel on data breach response issues and Nurani gave a presentation on breach notification and reporting requirements under current federal and provincial laws and the coming PIPEDA changes.
Organizations that come under PIPEDA won’t be able to hide breaches for long: Either late this year or next year new breach victim and regulatory notification obligations will come into effect as a result of the 2015 approval of changes to the Personal Information Protection and Electronic Documents Act (PIPEDA),
Bureaucrats are finalizing draft regulations for the changes, which may be released this summer. There will be a period for public comments, then publication of the final regs. However, there may be an additional delay of several months after that to give organizations covered by PIPEDA time to get their processes in order to comply.
But its the missing regulations for the PIPEDA changes – passed as the Digital Privacy Act – that have privacy officers apprehensive.
The changes make it mandatory for organizations to notify the federal privacy commissioner and affected persons if there is a “real risk of significant harm” — already dubbed RROSH by privacy pros – from a breach of security.
The law defines “significant harm” to include bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft among others. Factors that organizations will need to consider when assessing real risk of significant harm include the sensitivity of the personal information involved, the probability that the personal information has been, is being or will be misused; and “any other prescribed factor.”
”It’s huge issue in that there’s so much subjectivity in that test,” Nurani said. For example, presumably encrypted data should lower the risk. But what about an email with personal information that accidently went to the wrong person. Is there a duty to notify, even if the recipient was told to delete the message?
In her conference presentation she advised privacy pros to look for guidance at decisions by Alberta’s privacy commissioner, where firms covered by provincial legislation have had a similar breach notification obligation for seven years.
Those decisions “take a conservative approach” — in other words, set a high standard — when it comes to assessing risk,” she said.
Or, as she put it in the interview, “when you’re not sure, assume that there is that harm and significant risk.”
Although they gave separate presentations, both Brown and Nurani also stressed the importance of organizations avoiding regulatory or judicial sanctions from a breach by acting swiftly and offering help to victims. Both cited the large Home Depot breach, which affected shoppers mainly in the U.S. but also Canada. The judge in that case accepted a deal in a class action lawsuit to pay Canadian victims just over $400,000.
In doing so he didn’t accept that Home Depot was culpable, and that it responded as a good corporate citizen” by offering a package of benefits to victims including free credit monitoring.
“Timing of the response is obviously critical,” Nurani added, suggesting telling customers as soon as possible after discovering a data theft. The press will highlight that it came, say, three weeks after being found, which suggests the organization didn’t take it seriously enough. True, some time is needed to determine the facts, “but that has to happen as quicky as possible … get in front of the breach. You really need to tell people what happened and what you’re doing about it.”
She senses that within 72 hours after discovery is a good yardstick (and it’s the rule under the new European Union’s General Data Breach Protection Regulation (GDPR), which comes into effect next May).
She also advised organizations to get their lawyers and insurers involved early on.