Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Published byChristian Francis Modified over 9 years ago

Similar presentations

Presentation on theme: "Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and."— Presentation transcript:

1 Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and Security Workshop - Toronto November 3, 2006

2 Mark S. Hayes – Blake, Cassels & Graydon LLP Conundrums of Security and Privacy 1.  Security =  Privacy 2.Security ≠ Privacy 3.  Security =  Privacy

3 Mark S. Hayes – Blake, Cassels & Graydon LLP Security =  Privacy Must be able to secure and protect personal information in your possession or control May be different from usual internal security Include “right to know” internally and require different controls Passwording, encryption

4 Mark S. Hayes – Blake, Cassels & Graydon LLP Security ≠ Privacy Security for PI is a necessary but not sufficient condition for privacy compliance PI can be secure but used improperly or disclosed to inappropriate persons (both inside and outside organization) Security of PI is only one part of privacy compliance program

5 Mark S. Hayes – Blake, Cassels & Graydon LLP Security =  Privacy Anonymity and encryption: Bad for security Good for privacy One of the most important elements of a good security program is “know your users” However, must collect and use information with consent to comply with privacy regulations Must understand nature of trade-offs

6 Mark S. Hayes – Blake, Cassels & Graydon LLP Hayes’ Laws of Privacy and Technology 1.Technology will always enable you to do more than you are allowed to do 2.Technology will often restrict you from doing something that you are required to do 3.You will always discover the application of each of these laws right after an expensive technology implementation project is completed

7 Mark S. Hayes – Blake, Cassels & Graydon LLP Security Breaches PIPEDA security standards vague –Principle 4.7: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” –Alberta PIPA slightly more detailed: “protect personal information... by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction” Seem to use objective standard

8 Mark S. Hayes – Blake, Cassels & Graydon LLP Some Security Cases PIPEDA decisions: strict liability “disclosure is breach” test PIPEDA Case #277 (2004) –“To” line used rather than “BCC” line in e-mail –sub-contractor had appropriate safeguards in place –“company did not meet the requirements of Principle 4.7.1” PIPEDA Case Summary #289 –Laptop containing customer’s banking information stolen from bank’s financial advisor’s car –Laptop equipped with security features (including password protection) –Bank’s laptop security policy PIPEDA-compliant –Bank still in breach

9 Mark S. Hayes – Blake, Cassels & Graydon LLP More Security Cases Alberta trio of 2005 cases used similar standards Linens ‘N Things, Nor-Don Collection Network Inc., Digital Communications Group Inc. –Police found consumer records in hands of criminal gang –Three retailers found in violation of PIPA –While precise failure of security was not identified in each case, retailers all found to have violated PIPA Possible that decisions were justified on basis of retailers’ failure to secure documents, but standard not well expressed in decisions

10 Mark S. Hayes – Blake, Cassels & Graydon LLP B.C. Investigation Report F06-01 “reasonable” means “objectively diligent and prudent in all of the circumstances” “defining and documenting security arrangements … is diligent and prudent practice” “fact that a generally-accepted and proven practice has been followed may be strong evidence of prudence and diligence in protecting personal information, but it is not determinative” Encryption of electronic records may be important

11 Mark S. Hayes – Blake, Cassels & Graydon LLP B.C. Investigation Report F06-01 (2) “risk of a privacy breach due to criminal activity or other intentional wrongdoing is contemplated in assessing reasonable security arrangements” Cost of additional security may be an issue Also see B.C. Investigation Report F06-02 Clearly the BCPC’s nuanced and objective approach seems more appropriate than the “breach means unreasonable” approach seen in other cases

12 Mark S. Hayes – Blake, Cassels & Graydon LLP Recent Alberta PIPA Cases To determine what security measures are reasonable, must look at: –medium information is stored on –sensitivity of information –industry standards or practices –foreseeability of unauthorized access or disclosure (including possibility of criminal activity) –cost of additional measures vs. additional level of security they would provide E.g. recommended that all personal information on laptop computers should be encrypted

13 Mark S. Hayes – Blake, Cassels & Graydon LLP Notification of Security Breaches Only Ontario PHIPA requires to notification after security breach involving personal information Most privacy commissioners support imposition of notification obligation In F06-02, BCPC concluded that “A public body should, following a data loss or theft, conduct a prompt assessment of any risks posed thereby. If the public body concludes that notification is appropriate, … it should prepare a notification strategy and execute it.”

14 Mark S. Hayes – Blake, Cassels & Graydon LLP Notification of Security Breaches (2) In many U.S. states, notification is mandatory except in limited circumstances In Victoria, Australia, privacy commissioner has implied an obligation that notification should be the rule, absent exceptional circumstances Issues with notification: –cost of notification –breach does not mean privacy risk –over-notification causes more damage than breach –constant notification  desensitivization Issue is on table for PIPEDA review

15 Mark S. Hayes – Blake, Cassels & Graydon LLP Questions? For a copy of these slides, just ask! mark.hayes@blakes.com

Download ppt "Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and."

Similar presentations

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.

Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.

PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
The Problem Solvers TM www.singleton.com Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.

The Problem Solvers TM Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.
Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.

Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.
VIU Workshop: Creating a Culture of Privacy Awareness June 12, 2013 By Justin Hodkinson OIPC Policy Analyst/Investigator Office of the Information & Privacy.

VIU Workshop: Creating a Culture of Privacy Awareness June 12, 2013 By Justin Hodkinson OIPC Policy Analyst/Investigator Office of the Information & Privacy.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.

Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
ICAICT202A - Work and communicate effectively in an IT environment

ICAICT202A - Work and communicate effectively in an IT environment
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice.

Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice.

Similar presentations

Ads by Google