Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice.

Published byWarren Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice."— Presentation transcript:

1 Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice Financial Services Group Aon Reed Stenhouse Inc. 25 November 2009

2 1 Understanding Privacy Breach Risk: CURIE Ontario University Forum 1 Agenda Introduction The Unique Exposures of Higher Education Institutions A Myriad of Legislation Key Regulatory Issues Privacy Breach Statistics Types of Privacy Breaches Privacy Breach Examples Privacy Breach Risks Costs of a Breach Privacy Governance Privacy Breach Links/References Questions

3 2 Understanding Privacy Breach Risk: CURIE Ontario University Forum 2 Introduction Universal Exposure Technological Explosion Privacy Breaches on the Rise University’s and College’s Unique Risks

4 3 Understanding Privacy Breach Risk: CURIE Ontario University Forum 3 The Unique Exposures of Higher Education Institutions A Learning and Sharing Environment –Open information sharing is a higher learning foundation –Remote access to networks and databases is commonplace Universities are Like Little Cities –PI of many different types of individuals (students, alumni, employees, applicants, patients) –Various types of PI (educational records, research information, financial information, health information) Technology Savvy and Sophisticated Internet Users –Students are first users of new technologies –Pressure for universities to adopt new platforms and systems Outsourcing Issues –Outsourcing e-mail and data storage may have many advantages but there are privacy issues

5 4 Understanding Privacy Breach Risk: CURIE Ontario University Forum 4 Privacy Law Overview Ontario Freedom of Information and Protection of Privacy Act (FIPPA) –June 2006 amendments brings educational institutions under its jurisdiction –Regulates use, collection, disclosure and retention of PI by higher education institutions Personal Information Protection and Electronic Documents Act (PIPEDA) –Regulates use, collection, disclosure and retention of PI in the context of university activity that is commercial in nature that is not “core” to university mandate –Applies if PI flows outside of province or country Personal Health Information Protection Act (PHIPA) –Regulates the collection, use and disclose of personal health information

6 5 Understanding Privacy Breach Risk: CURIE Ontario University Forum 5 Privacy Law Overview continued Differences in Applicable Legislation Pose challenges in creating one uniform privacy policy Examples of differing provisions: –Disclosure of PI where no consent –Breach notification

7 6 Understanding Privacy Breach Risk: CURIE Ontario University Forum 6 Privacy Breaches and Notification Current Law under PIPEDA/FIPPA –When does the obligation to notify arise? –Failure to properly notify in timely fashion can lead to civil and regulatory liability –Early notification = mitigation –PIPEDA and FIPPA have no mandatory breach notification obligations –Guidelines/protocols strongly urge to notify if breach creates a risk of significant harm Industry Canada Proposal –Mandatory breach notification requirements on the way –Discretion left in hands of organization –Threshold to report is “high risk of significant harm” –Reporting window is “as soon as reasonably possible” –Report “material breaches” to the Privacy Commissioner Current Law under PHIPA –Only Canadian legislation with mandatory breach notification requirements –First reasonable opportunity threshold

8 7 Understanding Privacy Breach Risk: CURIE Ontario University Forum 7 Privacy Breach Statistics ESI U.S. University Data Security Breach Study 2006 –83 data security breaches –65 affected institutions –2.7 million data records 2007 –139 data security breaches –112 affected institutions –1.25 million data records 2008 –173 data security breaches –178 institutions –4.9 million data records 2009 (so far) –72 data security breaches –66 institutions

9 8 Understanding Privacy Breach Risk: CURIE Ontario University Forum 8 Privacy Breach Statistics continued ESI U.S. University Data Security Breach Study continued

10 9 Understanding Privacy Breach Risk: CURIE Ontario University Forum 9 Privacy Breach Statistics continued ESI U.S. University Data Security Breach Study continued

11 10 Understanding Privacy Breach Risk: CURIE Ontario University Forum 10 Types of Privacy Breaches Ponemon Institute – Primary Source of Breach 2008

12 11 Understanding Privacy Breach Risk: CURIE Ontario University Forum 11 Canadian Privacy Breach Examples Brock University (September 2006) McGill University (April 2007) Memorial University (September 2008) Trent University (February 2009) Ryerson University (February 2009) Huron University College (March 2009) Carleton University (September 2009) Memorial University (September 2009)

13 12 Understanding Privacy Breach Risk: CURIE Ontario University Forum 12 U.S. University Privacy Breach Examples California State Polytechnic University (15 Nov. 2009) Chaminade University (6 Nov. 2009) Bloomsburg University of Pennsylvania (1 Nov. 2009) California State University (14 Oct. 2009) University of Wisconsin (12 Oct. 2009) Roane State Community College (12 Oct. 2009) University of North Carolina (24 Sep. 2009) Eastern Kentucky University (24 Sep. 2009) Boston University (20 Aug. 2009) University of California (17 Jul. 2009) Cornell University (23 Jun. 2009) University of North Dakota (17 Jun. 2009)

14 13 Understanding Privacy Breach Risk: CURIE Ontario University Forum 13 Privacy Breach Risks Civil Suits –From business partners (i.e. financial institutions for credit card notification and recall expenses) –From students, faculty, the general public for identity theft Regulatory Investigations and Proceedings –From the Privacy Commissioner of Ontario pursuant to FIPPA or PHIPA –From the Privacy Commissioner of Canada pursuant to PIPEDA Universities Own Costs –Damage to data and property –Recovery and restoration expenses –Loss of intellectual property –Business interruption –Loss of business opportunity Damage to Reputation –Enrollment –Future revenues –Business partnerships

15 14 Understanding Privacy Breach Risk: CURIE Ontario University Forum 14 Cost of a Breach Liability –Compensatory damages –Regulatory actions Direct Damages to Insured –Business interruption –Mitigation –Costs to restore information –Internal investigation –Legal fees –Lost customers –Lost employee productivity Response Plan –Public disclosure and notification –Interaction with regulators/authorities Crisis Management Costs –Call centre and website –Credit monitoring –Public relations

16 15 Understanding Privacy Breach Risk: CURIE Ontario University Forum 15 Privacy Governance Breach Investigated and Assessed –What caused the breach? –How was it detected? –What personal information was involved? –How secure was the information (e.g. encryption)? –How many individuals affected? –Does the breach appear to be criminal? –Is there a potential harm for those affected? Notification –What notification laws apply? –Should affected individuals be notified? ›What are the reasonable expectations of those affected? ›Is there a risk of harm (e.g. humiliation)? ›Is there an ability to mitigate? ›What are your contractual obligations? ›Reputation considerations

17 16 Understanding Privacy Breach Risk: CURIE Ontario University Forum 16 Privacy Governance continued Breach Risk Control Considerations –Conceptual ›Have you recognized privacy as a risk for your organization? ▪Would it cause reputation or financial risk? ›Have you developed a strategy to handle this risk? ▪Is the risk disclosed to investors (e.g. AIF statement)? ▪Have you determined whether you will notify? ▪Have you identified responsibilities within your organization? ▪Have you identified outside parties to engage if you have a breach? ›How will your strategy be funded? –Prevention ›How are you ensuring the security of your systems? ›Operational Consistency – Is your data retention strategy in sync with your privacy obligations? With your privacy policy? Do you utilize a CRM platform? What information is being collected? How long is the data held for? ›What training is being provided to employees - About your privacy policy? About your privacy obligations? About security? About reporting requirements?

18 17 Understanding Privacy Breach Risk: CURIE Ontario University Forum 17 Privacy Governance Breach Risk Control Considerations continued –Assessment ›Who is responsible for investigating potential breaches? ›What reporting structure is in place? ›Has a methodology been created for an assessment/reporting? ›What external resources are required in assessing a potential breach? ›PIPEDA self-assessment tool http://www.privcom.gc.ca/information/pub/ar- vr/pipeda_sa_tool_200807_e.pdf –Notification ›Will you notify those affected by a breach? What methodology will be used to determine? Has a formal plan been created? Has it been communicated? ›Who will be responsible for the notification? What oversight is required? ›Who will provide legal advice? ›Will you hire a PR firm? Has the firm been identified? Have they been briefed on your notification plan? ›Will the notification include your website and/or customer relations team? ›Who will communicate with regulators?

19 18 Understanding Privacy Breach Risk: CURIE Ontario University Forum 18 Privacy Breach Links/References Websites Educational Security Incidents (ESI)http://www.adamdodge.com/esi Privacy Rights Clearinghousehttp://www.privacyrights.org/index.htm The Ponemon Institutehttp://www.ponemon.org/index.php Open Security Foundation Data Loss Databasehttp://www.datalossad.org Office of Inadequate Securityhttp://www.databreaches.net/ Identity Theft Resource Centerhttp://idtheftcenter.org Edupagehttp://www.educause.edu/Resources/ElectronicNewsletters/Edupage/ 639 Computer Crime & Intellectual Property Section of the United States Department of Justice http://www.usdoj.gov/criminal/cybercrime/cc.html SSNBreachhttp://www.nationalidwatch.org/ Canadian Privacy Law Bloghttp://www.privacylawyer.ca/blog Library Boyhttp://micheladrien.blogspot.com Reports and Studies ESI’s 2008 Year in Reviewhttp://www.adamdodge.com/esi/files/esi_yir_2008.pdf Ponemon Institute’s 2008Annual Study: Cost of a Data Breach http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/ 2008-2009%20US%20Cost%20of%20Data%20Breach%20Report% 20Final.pdf 2009 Rotman-Telus Joint Study on Canadian IT Security Practices http://www.rotman.utoronto.ca/news/detail.asp?ID=490 Breaches in the Academia Sectorhttp://jmcconsulting.wptlite.com/download.asp Privacy Breach Impact Calculatorhttp://www.informationshield.com/privacybreachcalc.html

20 Questions and Discussion

Download ppt "Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice."

Similar presentations

TECHNO-TONOMY Privacy & Autonomy in a Networked World Learning Module 2: Legislating Privacy: Your Rights.

TECHNO-TONOMY Privacy & Autonomy in a Networked World Learning Module 2: Legislating Privacy: Your Rights.
Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist.

Considerations in an Outsourced / Cloud World ARMA Information Management Symposium Bill Wilson, Chief Privacy Technologist.
University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.

University Data Classification Table* Level 5Level 4 Information that would cause severe harm to individuals or the University if disclosed. Level 5 information.
Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.

Insurance in the Cloud Ben Hunter, Canadian Underwriting Specialist Technology Insurance Specialty Chubb Insurance Company of Canada.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.

Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Red Flag Rules: What they are? & What you need to do

Red Flag Rules: What they are? & What you need to do
HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.

HITECH ACT Privacy & Security Requirements Cathleen Casagrande Privacy Officer July 23, 2009.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
Data Breach Risks Overview Heather Pixton www2.idexpertscorp.com

Data Breach Risks Overview Heather Pixton www2.idexpertscorp.com
Security Professionals Workshop: Legal Issues in Computer and Network Security Peter C. Cassat.

Security Professionals Workshop: Legal Issues in Computer and Network Security Peter C. Cassat.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.

PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius 4444 50% Hiscox 33 50% to May 2010, replaced.

BACKGROUND  Hawkes Bay Holdings/Aquila Underwriting LLP  Established 2009 utilising Lloyd’s capacity: Canopius % Hiscox 33 50% to May 2010, replaced.
Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.

Data Protection in Higher Education: Recent Experiences in Privacy and Security Institute for Computer Law and Policy Cornell University June 29, 2005.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Cyber Risk Enhancement Coverage. Cyber security breaches are now a painful reality for virtually every type of organization and at every level of those.

Similar presentations

Ads by Google