Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction

What is a Privacy Breach? Privacy breach is the unintended and unconsented-to loss of personal data held by an organization Can result from intentional act (e.g. theft), negligence or simply system failure Under privacy laws organizations have an obligation to protect the personal information held by them and to disclose or release it only in accordance with purposes consented to by the data subjects A privacy breach involves a failure of the organization’s systems to protect such information  which may indicate a failure to comply with the law 2

Obligations to Protect Personal Information – The Security Requirement An organization is required to protect personal information using security safeguards appropriate in the circumstances This obligation means that the type of information and its sensitivity will dictate the nature of the security systems: more sensitive information must be protected by a higher level of security Organizations are required to use: −Physical measures (e.g. passcard access restrictions) −Organizational measures (e.g. confidentiality agreements) −Technological measures (e.g. password protection, encryption) 3

Why Privacy Breaches are a Concern A privacy breach involves the potential loss of information that for both competitive and regulatory reasons the organization seeks to keep confidential However, the more critical issue is that the compromised personal information may be used to injure customers or others (e.g. fraud, identity theft) The breach may indicate a failure of the organization to comply with its security obligations under the privacy law, or at common law, which could have serious financial and regulatory impact, as well as a loss of public (i.e. consumer) trust 4

Due Diligence – the Organization’s Responsibilities Most importantly, an organization should ensure that its security systems are adequate and meet or exceed recognized standards It should continually review (i.e. audit) its security systems and conduct threat, vulnerability and risk assessments When a deficiency is identified, it should address that and rectify it Training of staff both in respect to privacy and security compliance as well in responding to breaches should be conducted 5

Due Diligence – Risk Reduction Compliance with the security principle under PIPEDA is a strict liability requirement, which is satisfied by the organization taking due care – due diligence satisfies this requirement If the organization takes appropriate steps to comply with recognized security standards it should be able to minimize or avoid liability in the event of a breach 6

Security Compliance Standards Payment card industry data security Standard (PCI DSS) ISO/IEC series of standards – provide best practice recommendations for the management of information security and risks, and potential controls: 7 −ISO/IEC – Specification for Information Security Management System provides a standard for systems against which certification can be obtained −ISO/IEC – Code of Practice for Information Security – listing of potential control mechanisms for implementation with guidance from ISO/IEC – categories include: o Risk assessment and treatment ○ Asset management o Security policy ○ HR Security o Organization of information systems ○ Access Controls

ISO/IEC Requires that management within an organization must: Systematically assess the organization's information security risks, taking account of the threats, vulnerabilities and impacts Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that it deems unacceptable Adopt an all-encompassing management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis 8

ISO/IEC The standard has a long-term outlook and incorporates the “Plan-Do-Check-Act” approach: Plan: Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives Do: Implement and operate the ISMS policy, controls, processes, and procedures Check: Assess and, where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review Act: Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS 9

What Should an Organization do to Respond to a Privacy Breach? If a privacy breach occurs, the organization must respond both immediately to remedy the source of the breach and mitigate the potential damage and must subsequently evaluate its systems for future prevention How an organization responds to a breach is part of its compliance with the security principle under the privacy law Diligent and effective response including notification of affected persons will reduce risk 10

11 Response to a Breach – The Key Steps 1)Internal notification – implement breach protocol 2)Contain the breach and preliminary assessment 3)Evaluate the risks 4)Reporting to law enforcement and regulatory authorities 5)Notification of affected individuals 6)Investigation and Remediation

12 Investigation and Remediation Following completion of its immediate breach response actions, an organization must thoroughly investigate the cause of the breach This should involve an audit of all systems and procedures that may have had an impact on the breach (e.g. faxing procedures, credit card usage security, mobile transport of sensitive data)

13 Investigation and Remediation – cont’d The objective is to learn from the breach to improve procedures and systems so as to prevent a reoccurrence of the breach or similar breaches New procedures/systems should be established, appropriate training of staff conducted and an audit/review completed at the end of the process to ensure the intended objective is met These actions address the organization’s on-going and future compliance with the security principle in the privacy laws and address due diligence

THANK YOU David Young Direct: McMillan LLP Brookfield Place 181 Bay Street, Suite 4400 Toronto, Ontario M5J 2T3