I was asked many questions by a very engaged audience prior to, during and after a 2018 LexisNexis Canada webinar on the new breach of security safeguards provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA). For the benefit of all, I've tackled those questions here. Check back from time-to-time because I will update them with other interesting questions that I get asked. Also, don't forget to check out the recorded version of the webinar .
1. What consequences are associated with failure to comply with the new requirements of PIPEDA?
Affected individuals can make a complaint to the Office of the Privacy Commissioner of Canada (OPC) or the OPC can commence its own investigation. Once the OPC has made a report of findings, individuals can seek compensation through the Federal Court of Canada.
It is also possible for organizations to be prosecuted by the Public Prosecutions Service of Canada for failing to comply. Organizations may be subject to penalties of up to $100,000.
2. Is there an obligation to monitor for breaches even if you do not suspect any?
Yes, organizations must monitor for breaches as part of implementing security safeguards. The extent of the monitoring will depend on the sensitivity of the personal information being protected.
Clause 4.7 of Schedule 1 to PIPEDA requires organizations to protect personal information by security safeguards appropriate to the sensitivity of the information. Clause 4.7.1 says that the safeguards should protect against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Clause 4.7.2 states that the safeguards will vary depending on the sensitivity of the information. Clause 4.7.3 states that the safeguards should include physical, organizational and technical measures.
In PIPEDA Report of Findings #2018-001 (Connected toy manufacturer improves safeguards to adequately protect children's information), the Office of the Privacy Commissioner of Canada (OPC) concluded that a regular program of monitoring and logging to detect breaches was required under the safeguard provisions of PIPEDA given the sensitivity of the information that the organization held (information about children using its electronic learning products).
In PIPEDA Report of Findings 2016-005 (Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner/Acting Australian Information Commissioner), the OPC and the Australian Commissioner accepted that the organization had some detection and monitoring systems in place but the company had "not implemented an intrusion detection system or prevention system and did not have a security information and event management system in place, or data loss prevention monitoring."
In PIPEDA Report of Findings 2015-007 (Financial institution takes strong remedial measures after insufficient safeguards and unnecessary storage leaves sensitive data vulnerable to breach), the OPC criticized a financial institution for failing to protect personal information through "ongoing monitoring and maintenance of its system to ensure continued protection against evolving security threats." The organization did not monitor or test its website from the time it was originally designed and the time that the breach occurred to identify potential vulnerabilities of the web portal or web server.
3. How high is the test for "real risk of significant harm"?
When a breach of security safeguards occurs, organizations must determine whether they need to report the breach to affected individuals and to the Office of the Privacy Commissioner of Canada (OPC). The test for mandatory individual notification and reporting to the OPC is whether it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual.
The "real risk of significant harm" (RROSH) test has two parts. First it is necessary to determine whether the circumstances of the breach could create "significant harm" to an individual. Second, it is necessary to determine whether there is a "real risk" of that harm occurring. Under the first part of the test, the organization must consider whether the individual might suffer bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, financial loss, identity theft, negative effects on the credit record, damage to or loss of property or other similar harms. The harm must be non-trivial.
In assessing whether there is a "real risk" the organization should consider the sensitivity of the personal information involved in the breach, the probability that the personal information has been, is being or will be misused and any other factor that is relevant to assessing probability. A "real risk" does not mean that the risk must be probable. Instead, the courts have said in other contexts (e.g. deportation, lawyer disqualification, and medical) that a real risk must have some factual basis and not be purely speculative. Further, the harm must be related to the breach.
In order for the RROSH to be met, the harm must be non-trivial. However, it does not need to be probable. In Alberta (see next question), the test has, at times, been applied in a highly speculative way. We do not know whether the OPC would approach the test in the same way.
4. Which Alberta decisions have addressed 'real risk of significant harm'?
The Alberta Personal Information Protection Act also requires individuals to report breaches based on the "real risk of significant harm" (RROSH) test. The Information and Privacy Commissioner of Alberta (OIPC) is required to make an order about whether the organization must notify affected individuals. As a result, we have several years of decisions that discuss what constitutes a real risk of significant harm. These decisions can be found at https://www.oipc.ab.ca/decisions/breach-notification-decisions.aspx.
A case that is currently under judicial review before the Alberta Court is illustrative of how the test is applied. In P2018-ND-030 (Re Uber B.V.), the OIPC ordered Uber to notify affected individuals in Alberta of a breach. The breach was perpetrated by individuals who had accessed a developer page and, using credentials found there, accessed and downloaded archived driver and rider data. The organization paid the individuals to destroy the data and obtained assurances that the data would not be further disseminated. This data included name, mobile number, nickname, receipt, receipt email address, hashed and salted passwords, fraud score, and technical information of passengers and drivers. In addition, the breach affected driver's licenses, driver scores, and payment statements for the drivers. An estimated 815,000 Canadians were affected. In respect of the passengers, Uber argued that there was minimal risk of harm to the affected individuals. The breach had happened in 2016 and there was no evidence of fraudulent activity tied to the incident. Uber argued that it had paid a ransom and the individuals would not be liable for fraudulent charges on their credit cards because of the policy of the credit card companies. With respect to the risk of phishing, Uber argued that the breach would not be the cause of the loss to the individuals. Rather, any loss would be the result of these individuals failing to take ordinary precautions not to fall for scams.
The OIPC disagreed and stated:
The case is under judicial review at the time of answering this question.
5. PIPEDA says reports and notifications must be made "as soon as feasible". How soon is "as soon as feasible"? Are there examples of acceptable delay?
Organizations must make a report to the Office of the Privacy Commissioner (OPC) and notify affected individuals as soon as feasible after determining that a breach of security safeguards has occurred that creates a real risk of significant harm to an individual. (See above for information on the "real risk of significant harm" (RROSH) test.)
Although we do not yet have examples under PIPEDA, the term "as soon as feasible" likely means that organizations are required to move promptly to make the reports and notifications. Although organizations are not under a specific deadline, they will need to be prepared to explain delays. For example, there may be appropriate delays for notifying individuals in order to gather the information that is relevant to the breach notification and to arrange for credit monitoring or identity theft insurance.
Another source of acceptable delay may be to assist (or not disrupt) a criminal investigation. For example, in an Alberta decision, P2018-ND-081 (R.C. Purdy Chocolates Ltd.), the organization's third-party ecommerce service provider was asked by the U.S. Department of Justice to delay notifying its clients about the potential data breach for at least 60 days in order not to disrupt their investigation.
6. Are employee personal communications on company email accounts considered "collected" and subject to notification requirements if taken in a hack?
This is a tricky question that depends on the circumstances of the company, including the company's policies regarding the acceptable use of its information technology systems and whether and how it enforces those policies. Generally, PIPEDA only applies to employee personal information if it is collected, used or disclosed in connection with the operation of a federal work, undertaking or business. The privacy laws in Alberta, British Columbia and Quebec are different. In the case of a federal work, undertaking or business, if the organization expressly claims in its policies that all of the information on its systems belongs to the organization and does not enforce prohibitions on personal use of its technology, then the organization may have some challenges in arguing that it was not in control of personal information collected in the course of its commercial activities. It may not have been collected "for" its commercial activities, but it may have been collected "in the course" of its commercial activities. You will definitely want to get legal advice on your particular circumstances. This is also an area where you will want to consider the larger issue of ongoing employee relations.
7. Will service providers have to provide notice of a breach to both the Office of the Privacy Commissioner of Canada (OPC) and their client? Is the obligation of the service provider to report breaches limited to a contractual duty?
Whether a service provider must report a breach to the OPC as well as their client depends on whether the service provider has "control" over the personal information. Legal advice should be sought to determine whether the service provider has control. If the service provider has no discretion regarding the purposes for which the personal information is collected, used, retained or disclosed, then it is unlikely that the service provider has "control" over the personal information. By contrast, if the service provider is permitted to use the information for its own use, then it likely has "control" over the personal information. Keep in mind that more than one organization can have control over personal information.
If the service provider does not have any control over the personal information, the service provider's obligation to report to their client should be contained in a contractual reporting requirement. However, even if there is no express contractual provision, the service provider may have a reporting obligation under another legal principle depending on the facts of the case.
8. Are the breach notification provisions applicable to not-for-profit organizations?
PIPEDA applies to organizations that are collecting, using and disclosing personal information in the course of a commercial activity. Although an organization is a non-profit, some of its activities may be commercial in nature (e.g. selling goods for fundraising). In addition, the purchase and sale of fundraising lists, which is common among charities, would be an activity to which PIPEDA applies. Therefore, if the information that is the subject of the breach was collected or used during one of these commercial activities, then PIPEDA will apply.
9. Is there an obligation to notify the Law Society of Ontario, Law Pro or the client if there is a privacy breach regarding personal information held by a lawyer or law firm?
It is possible that the breach of security safeguards provisions in PIPEDA could apply to lawyers and law firms. Whether PIPEDA applies to a privacy breach at a law firm depends on whether the information was collected or is being used in the course of a commercial activity. A commercial activity is an activity that has a commercial character, such as the purchase and sale of services or goods. The Office of the Privacy Commissioner of Canada (OPC) has previously applied PIPEDA to law firms in a number of cases (although not involving data breaches): PIPEDA Case Summary #2007-367 (Need to establish procedures for handling access to personal information request stressed); PIPEDA Case Summary #2006-340 (Law firms collected credit reports without consent); PIPEDA Case Summary #2007-377 (Law firm's shoddy privacy practices result in missing personal information; request for access denied); Settled case summary #30 (Solicitor's lien insufficient grounds to deny access to personal information).
Law firms should understand that they may also handle personal information of third parties on behalf of their clients. As such, a breach of security safeguards may involve a data breach that is reportable by their clients. For example, in PIPEDA Report of Findings #2011-007 , the law firm responded on behalf of its client to a privacy access request but failed to sever information relating to other parties.
Beyond PIPEDA, lawyers will be subject to rules of professional conduct and fiduciary obligations. These obligations include protecting confidential information of the client, acting in the client's best interests, and being candid with clients about matters relating to their representation. In the event of a breach of security safeguards, a lawyer will want to seek advice on the applicable professional obligations. However, it will likely be a very rare case in which the lawyer would not have an obligation to advise affected clients, since affected clients should be advised to seek legal advice about whether they have a right to make a complaint, either for failing to protect the information adequately under PIPEDA or for a breach of duties to protect the client's property and confidential information under the Rules of Professional Conduct.
Lawyers should also understand that the standard LawPro policy provides only limited coverage for cybercrimes. However, as with all coverage, the policy requires lawyers to provide immediate notice to LawPro regarding any circumstances that would be expected to give rise to a claim.
10. Does a ransomware attack qualify as a data breach?
Ransomware usually involves the unintentional deployment of malware (usually by opening a file or clicking on a link) that results in the encryption of data. The encrypted data is unusable unless it is decrypted. However, to obtain the decryption key, it is usually necessary to pay the extortionist a ransom - often in a digital currency.
A "breach of security safeguards" under PIPEDA means "the loss of, unauthorized access to or unauthorized disclosure of personal information" as a result of a breach of the security safeguards established by the organization or a failure to establish them as required by PIPEDA. The inability to decrypt the data could involve the loss of that data. Moreover, depending on the nature of the ransomware, it may not be possible to rule out whether a copy of the data was also sent to the criminal actor or whether the criminal actor had access and continues to have access to the encrypted data. Since that actor also holds the encryption key, there may be more than a possibility of unauthorized access to the data. In P2018-ND-112, the Office of the Information and Privacy Commissioner of Alberta (OIPC) concluded that a hotel whose network was infected, and files encrypted, could not rule out the possibility of unauthorized access and disclosure of the information. The OIPC ordered mandatory breach notification. Although this case was decided under the Alberta legislation, it should be considered by organizations when interpreting PIPEDA.
11. What do I need to know beforehand to avoid a critical mistake in responding to ransomware?
Organizations should get expert advice on vulnerabilities in their network architecture, ensure that they are using appropriate virus scans, and appropriately train their employees not to open attachments and click on links that could contain malware. There are numerous professionals who can offer assistance.
Readers may also refer to the following resources:
James Careless, "Protecting Your Files from Ransomware Extortion" (March 1, 2015)
Carolynne Burkholder-James, "Ransomware extortion" (May 2015)
David G Ris, et al., Locked Down: Practical Information Security for Lawyers, Second Edition (ABA, 2016) available as an ebook at LexisNexis.
One of the most important precautions that organizations need to take is to ensure that they can reconstruct their data. Ransomware involves an executable file that once triggered will begin to encrypt important files. Unless the organization pays a ransom for the decryption key, the files may become useless. To ensure that the minimum amount of information is at risk, regular backups to a media that is not connected to the device that has become infected should be conducted.
12. What are some good resources that we can consult?
Breach Reporting Obligations Comparison (Canada and International) (available as Part of Lexis Practice Advisor Canada).
The Office of the Privacy Commissioner of Canada has helpful breach reporting Guidance at https://www.priv.gc.ca/en/privacy-topics/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/ .
Readers may also want to check out the Guide to the Personal Information Protection and Electronic Documents Act (2018 Edition) (LexisNexis Canada), which is one of the least expensive resources available. A new edition will be available in late 2019.