Privacy Breaches: Legal Risks, Obligations & Best Practices

STIKEMAN ELLIOTT LLP www.stikeman.com

Privacy Breaches: Legal Risks, Obligations & Best Practices

David Elder

Stikeman Elliott LLP

May 2011

SLIDE 2 STIKEMAN ELLIOTT LLP

Legislative Framework

Patchwork?

Mix of Federal and Provincial Regimes

– Private Sector

– Health Sector

– Public Sector

– Employees

© TinyApartmentCrafts


Private Sector Privacy Provincial:

B.C.: Personal Information Protection Act

Alberta: Personal Information Protection Act

Québec: An Act Respecting the Protection of Personal Information in the Private Sector

Federal:

Personal Information Protection and Electronic Documents Act


Private Sector Privacy

FederalPersonal Information Protection and Electronic Documents Act

Applies to collection, use and disclosure of personal information by:– Private sector federal works & undertakings, including their

employees– Private sector organizations, in course of commercial

activities, when: Transferred across provincial borders Collected, used or disclosed in province without “substantially

similar” legislation



Provincial

B.C.: Personal Information Protection Act


Québec: An Act Respecting the Protection of Personal Information in the Private Sector

Apply to collection, use and disclosure of personal information by all private sector organizations in the Province

– Not just in course of commercial activities

– Including employee personal information

– N/A to interprovincial transfers and federal undertakings


Health Sector Privacy Provincial:

British Columbia: Personal Information Protection ActAlberta: Health Information ActSaskatchewan: Health Information Protection ActManitoba: Personal Health Information ActOntario: Personal Health Information Protection ActNew Brunswick: Personal Health Information Privacy

and Access ActNova Scotia: Personal Health Information Act*Newfoundland & Labrador: Personal Health

Information Act Federal:

Personal Information Protection and Electronic Documents Act


Health Sector Privacy

Provincial health sector privacy laws generally apply to:

Personal health information, held by

Health Information Custodians: persons or organizations with custody or control of PHI in performing duties, including:– Health care practitioners– Hospitals and long-term care facilities– Community health centres– Pharmacies– Laboratories, etc.


What is a privacy breach?

Typically refers to unauthorized access, theft or disclosure of personal information

– Hacking, “social engineering”

– Rogue employee or contractor

– Stolen/lost laptop

– Improper disposal of records

Could apply more broadly to unauthorized collection, use or disclosure of personal information

– Unnecessary or illegal collection and/or retention of personal information

– Use for purposes for which consent not obtained

– Accidental or negligent disclosure


Consequences – Private Sector Offences:

– B.C. and Alberta: up to $100 K for organizations

– Québec: Up to $10 K, for a 1st offence; Up to $20 K for a 2nd

– Federal: Up to $10 K, summary conviction; Up to $100 K, indictment (only for destroying info under investigation, retribution to whistleblower)

Statutory Damages– B.C. and Alberta: damages available based on final Commissioner finding

or conviction of offence

– Federal: Federal Court can award damages after de novo consideration of Commissioner findings – including for humiliation

Tort Damages?

Brand Damage, Reputational Harm


Consequences – Health SectorOffences & Damages

British Columbia: Up to $100 K for organizationsAlberta: Up to $50 KSaskatchewan: UP to $50 K or 1 year imprisonment for

individuals; Up to $500 K for corporations; Up to $50 K officers and directors

Manitoba: Up to $50 K per day offence continues, including directors and officers

Ontario: UP to $50 K for an individual; Up to $250 K for a corporation; statutory damages also available

New Brunswick: Up to $5,125 for a 1st offence; up to $9 K for a 2nd offence (Category F Offence)

Nova Scotia: Up to $10 K, for an individual; up to $50 K for a corporation, officers and employees liable

Nfld & Labrador: Up to $10 K or 6 months imprisonment

Federal: Federal Court can award damages



Breach Notification

Alberta: Personal Information Protection Act Only Canadian jurisdiction to require mandatory privacy

breach notification by private sector organizations

Organizations must, without unreasonable delay, notify Commissioner of any incident involving loss or unauthorized access or disclosure of personal information

“Where a reasonable person would consider that there exists a real risk of significant harm to an individual”



Breach Notification

Alberta: Personal Information Protection Act “A significant harm is a material harm; it has non-trivial

consequences or effects. Examples may include possible financial loss, identity theft, physical harm, humiliation or damage to one’s professional or personal reputation.”

“A real risk of significant harm means a reasonable degree of likelihood that the harm could result. The risk of harm is not hypothetical or theoretical, and it is more than merely speculative.”

Notification of a Security Breach, PIPA Information Sheet 11



Contents of Notice


Description of circumstances of loss, access or disclosure

Date or time period on or during which it occurred

Description of the personal information involved

Description of any steps taken to contain, reduce risk of harm, notify affected individuals

Contact information for questions about incident, risks



Breach Notification

Alberta: Personal Information Protection Act Commissioner may require notification of individuals, if a real

risk of significant harm

Can prescribe form, manner and timing

May impose terms and conditions

May require provision of additional info, establish expedited process to determine whether notification required

Failure to notify = fine of up to $100,000



Other Jurisdictions: Committee to review Alberta PIPA recommended clearly defined

breach notification amendment in 2008

PIPEDA amendments in Bill C-29 included mandatory breach notification to Commission for “material” breach

– Factors included sensitivity, number of individuals affected, systemic problem

Also, mandatory breach notification to individuals if “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual”

– Factors included sensitivity, probability of misuse of personal info



Other Jurisdictions: Meanwhile, “Voluntary” disclosure “strongly encouraged”

B.C., Federal Commissioners have breach notification forms and processes

Advocate 4 key steps to respond immediately to a data breach:

1. Contain the breach, do preliminary assessment

2. Evaluate the associated risks

3. Notification

4. Prevention



Breach Notification

Ontario: Personal Health Information Protection Act

Requires “health information custodians” to notify affected individuals at the first reasonable opportunity where personal health information is stolen, lost or accessed by unauthorized persons

No threshold: all breaches are notifiable, although some leeway if data encrypted

No obligation to notify Information and Privacy Commissioner, but strongly encouraged



Breach Notification

New Brunswick: Personal Health Information Privacy and Access Act

Requires health information “custodians” to notify affected individuals at the first reasonable opportunity where personal health information is stolen, lost, disposed of (except as permitted by Act) or disclosed to or accessed by unauthorized persons

Not required to notify if custodian reasonably believes that breach will not have an adverse impact on the well-being of the individual or on provision of health care or other benefits, and will not lead to identification of the individual

No obligation to notify the Access to Information and Privacy Commissioner, but strongly encouraged


Health Sector PrivacyBreach Notification

Nfld & Labrador: Personal Health Information Act Requires health information “custodians” to notify the Information and

Privacy Commissioner where they reasonably believe that there has been a “material Breach” involving the unauthorized collection, use or disclosure of personal health information

Also requires health information “custodians” to notify affected individuals:

– at the first reasonable opportunity where personal health information is stolen, lost, disposed of (except as permitted by Act) or disclosed to or accessed by unauthorized persons

– where personal health information used or disclosed contrary to requirements of Act and without consent

Unless directed otherwise by Commissioner, needn’t notify individual if custodian reasonably believes that breach will not have an adverse impact on the well-being of the individual or on provision of health care or other benefits, and will not lead to identification of the individual


Prepare for the Worst

Have an emergency response team in place, with clearly defined roles – legal, security, communications

Map out a containment strategy

Map out breach notification plan, taking into account legislative requirements, practices in each jurisdiction

Know what you would do, before you have to do it

Consider early and proactive “voluntary” notification, in addition to legally mandated notification

STIKEMAN ELLIOTT LLP www.stikeman.com

QUESTIONS & ANSWERS

David [email protected]

(613) 566-0532