Uber’s refusal to notify Alberta users of the ride sharing service that their personal data had been stolen until ordered by the provincial privacy commissioner proves that the new federal data breach notification law — which leaves it up to companies to decide whether customers will be at risk — won’t work, says a the head of a consumer rights group.
“I’d like to say ‘I told you so,'” John Lawford, executive director of the Public Interest Advocacy Centre and a critic of the mandatory data breach notification regime that will soon come into effect under the federal Personal Information Privacy and Electronic Documents Act (PIPEDA), said Tuesday. “It has to with a company thinking their data breach isn’t going to affect people, and holding that line.”
However, Vancouver privacy lawyer Bradley Freedman says the decision isn’t surprising.
They were commenting on the release Monday of a Feb. 28 decision by Alberta privacy commissioner Jill Clayton that the personal information stolen in a 2016 theft of data on 32 million non-U.S. riders — including Albertans — posed a “real risk of significant harm” to the individuals. As a result Uber Canada had to notify them.
According to news reports Uber Canada decided then not only to notify Albertans but all 816,000 Canadian Uber users whose data was stolen. The CBC quoted an Uber Canada official last week that the company disagrees with the decision and wants to appeal.
Uber didn’t respond to two email requests for comment Monday.
That standard — a real risk of significant harm — is the same one in the federal legislation, which has yet to come into effect. The difference, Lawford pointed out, is that under Alberta legislation companies that suffer breaches have to notify the provincial privacy commissioner, who makes the decision on whether to notify victims. The federal legislation leaves it up to companies to decide if the personal data stolen would pose a real risk of significant harm and whether victims.
However, organizations that knowingly fail to report to the federal commissioner or to notify affected individuals of a breach that poses a real risk of significant harm could be fined up to $100,000.
The federal privacy commissioner does have the power to initiate investigations. But, Lawford said, that would likely only happen if the commissioner found out about a data breach from a complaint or a news report. He believes the federal law should oblige companies to report all data breaches and not give them discretion.
Ottawa has yet to announce when the new mandatory data breach notification regime will start. It is still finalizing regulations.
According to the Alberta ruling, Uber Canada passed on to the provincial privacy commissioner a copy of the data breach notification that went to the Dutch Data Protection Agency of the breach in November, 2017. The stolen data was in a server in Holland. But Uber Canada argued that while the stolen data included user names, email addresses as well as hashed data and technical data it didn’t believe the information posed real risk of significant harm to an individual. Driver data included their drivers’ licenses. Drivers were notified, but users weren’t.
Uber told Clayton that after being contacted by the thieves — who according to news reports demanded a bug bounty for discovering a vulnerability that allowed them to steal data — Uber “obtained assurances” from the thief(s) the data was destroyed. Uber has also been watching its accounts of people whose data stolen, flagged them for additional fraud protection, and “has not seen evidence of fraud or misuse tied to the incident.”
Clayton also said Uber told her “the information at issue was not sensitive and not the type that poses a threat of potential harm that rises to the level of significance required for notification….The extracted information is insufficient for identity theft….There is similarly, minimal if any risk of other financial harm based on the nature of the extracted information.”
According to Clayton, Uber also argued that stolen email addresses and phone numbers by themselves aren’t a risk. “Any potential harm from phishing results as a consequence of the individual him or herself supplying personal information such as access codes and passwords, and not the consequence of having received such an email,” she said Uber argued.
Not so, Clayton ruled.
“In my view, a reasonable person would consider that the identity information of drivers (specifically driver’s license numbers), particularly in combination with other personal information elements at issue, could be used to cause the harms of identity theft and fraud. These are significant harms. Particularly when combined with profile information (information that individuals are customers/drivers), individual names, mobile telephone numbers and email addresses of riders and drivers could be used to send sophisticated, user-specific phishing emails and text messages purportedly from Uber,” she added. “Merely clicking on a link, without a user providing any additional information, could potentially cause significant harm (e.g. activate malware,
infect users’ computer/networks).”
Following previous decisions, Clayton said, “a reasonable person would consider phishing/smishing to be a significant harm.”
Lawford says the new federal mandatory breach notification rules “won’t produce the result that Alberta did.” Instead, he believes, data breaches will be hidden because it will be up to companies to tell to victims.
However, Vancouver privacy lawyer Bradley Freedman says the decision “is not at all surprising.” Freedman, of the firm Borden Ladner Gervais LLP, said “previous decisions by the Alberta privacy commissioner and guidance by the Privacy Commissioner of Canada have discussed the issue of risks to individuals resulting from data breaches, and risks of phishing, fraud and identity theft are well-known and recognized.
But, he added, the Alberta ruling is a useful reminder to privacy officers that eventually all Canadian regulatory regimes will require disclosure when there is a real risk of significant harm to individuals. British Columbia and Quebec will likely change their privacy laws to mirror the federal law, he said.
“Harm is not limited to real financial out of pocket loss,” Freedman added. “It’s a much, much broader concept. We’ve seen that in earlier decisions of the Privacy Commissioner of Canada — for example the Ashely Madison case, which talked about humiliation and reputational harm as one of the risks.”
In a summary of the data breach notification amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal privacy commissioner notes the concept of “significant harm” includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss and identity theft among others. “Factors that organizations will need to consider when assessing the presence of a real risk of significant harm include the sensitivity of the information involved and probability that the information was or will be misused (or any other prescribed factor).”
As to whether privacy officers should disclose a data breach if circumstances are borderline — in other words, ‘when in doubt, disclose’ –Freedman said that “in many cases there are good business reasons to err on the side of caution — and part of it is treating your customers in a certain way, the right way.”