Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Slides:



Advertisements
Similar presentations
Data Security Breach Code of Practice. Data Security Concerns Exponential growth in personal data holdings Increased outsourcing 3 rd countries cloud.
Advertisements

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
PIPA PRESENTATION PERSONAL INFORMATION PROTECTION ACT.
The Problem Solvers TM Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.
Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.
VIU Workshop: Creating a Culture of Privacy Awareness June 12, 2013 By Justin Hodkinson OIPC Policy Analyst/Investigator Office of the Information & Privacy.
Identity Theft & Data Security Concerns Are You Meeting Your Obligations to Protect Customer Information? Finance & Administration Roundtable February.
Complying with Privacy to Enable Innovation & Research
Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. In practice, how do we recognize a potential Privacy.
PRIVACY COMPLIANCE An Introduction to Privacy Privacy Training.
E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Developing a Records & Information Retention & Disposition Program:
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
ICAICT202A - Work and communicate effectively in an IT environment
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Understanding Privacy Breach Risk: Ontario Universities Risk Management Symposium Presented by Brian Rosenbaum LL.B. Director, Legal and Research Practice.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Act. Lesson Objectives To understand the data protection act.
Practical Information Management
6th CACR Information Security Workshop 1st Annual Privacy and Security Workshop (November 10, 2000) Incorporating Privacy into the Security Domain: Issues.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
Use Policies Deputy Attorney General Robert Morgester
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Privacy Challenges for Condominium Corporations and Condominium Managers presented to the Association of Condominium Managers of Alberta by Carmen Mann,
BC Public Libraries November, 2008 Privacy Principles.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.
A Road Map to Research at Jefferson: HIPAA Privacy and Security Rules for Researchers Presented By: Privacy Officer/Office of Legal Counsel October 2015.
1 Canadian Privacy Policy: Customizing E.U. Standards Remarks by Jennifer Stoddart Privacy Commissioner of Canada Privacy Symposium: Summer 2007 August.
An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.
Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.
Privacy Act United States Army (Managerial Training)
James Fox Shane Stuart Danny Deselle Matt Baldwin Acceptable Use Policies.
Privacy Practices.
Privacy Information for Advisors. Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors.
Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.
Data protection—training materials [Name and details of speaker]
The Health Information Protection Act. What is the Health Information Protection Act (HIPA)? HIPA is legislation that speaks to access to, and protection.
Canada’s Breach Reporting Law What you need to know Timothy M. Banks, CIPP/C Dentons Canada LLP July 21, 2015.
Nassau Association of School Technologists
PRIVACY TRAINING For CAILBA members
Privacy Education Session CMHA-WECB/CCHC Volunteers/Students
Data Minimization Framework
Protection of CONSUMER information
Privacy principles Individual written policies
E-BANKING RISK MANAGEMENT
Privacy and Confidentiality in Research
Chapter 3: IRS and FTC Data Security Rules
Cyberforum 2018 March 8, 2018 Los Angeles GDPR & SECURITY
Privacy & Access to Information
Move this to online module slides 11-56
General Data Protection Regulation
Mandatory Breach Reporting (isn’t *that* bad)
On the Cutting Edge – Update on Privacy Legislation
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004
Good Spirit School Division
Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.
Presentation transcript:

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and Security Workshop - Toronto November 3, 2006

Mark S. Hayes – Blake, Cassels & Graydon LLP Conundrums of Security and Privacy 1.  Security =  Privacy 2.Security ≠ Privacy 3.  Security =  Privacy

Mark S. Hayes – Blake, Cassels & Graydon LLP Security =  Privacy Must be able to secure and protect personal information in your possession or control May be different from usual internal security Include “right to know” internally and require different controls Passwording, encryption

Mark S. Hayes – Blake, Cassels & Graydon LLP Security ≠ Privacy Security for PI is a necessary but not sufficient condition for privacy compliance PI can be secure but used improperly or disclosed to inappropriate persons (both inside and outside organization) Security of PI is only one part of privacy compliance program

Mark S. Hayes – Blake, Cassels & Graydon LLP Security =  Privacy Anonymity and encryption: Bad for security Good for privacy One of the most important elements of a good security program is “know your users” However, must collect and use information with consent to comply with privacy regulations Must understand nature of trade-offs

Mark S. Hayes – Blake, Cassels & Graydon LLP Hayes’ Laws of Privacy and Technology 1.Technology will always enable you to do more than you are allowed to do 2.Technology will often restrict you from doing something that you are required to do 3.You will always discover the application of each of these laws right after an expensive technology implementation project is completed

Mark S. Hayes – Blake, Cassels & Graydon LLP Security Breaches PIPEDA security standards vague –Principle 4.7: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” –Alberta PIPA slightly more detailed: “protect personal information... by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction” Seem to use objective standard

Mark S. Hayes – Blake, Cassels & Graydon LLP Some Security Cases PIPEDA decisions: strict liability “disclosure is breach” test PIPEDA Case #277 (2004) –“To” line used rather than “BCC” line in –sub-contractor had appropriate safeguards in place –“company did not meet the requirements of Principle 4.7.1” PIPEDA Case Summary #289 –Laptop containing customer’s banking information stolen from bank’s financial advisor’s car –Laptop equipped with security features (including password protection) –Bank’s laptop security policy PIPEDA-compliant –Bank still in breach

Mark S. Hayes – Blake, Cassels & Graydon LLP More Security Cases Alberta trio of 2005 cases used similar standards Linens ‘N Things, Nor-Don Collection Network Inc., Digital Communications Group Inc. –Police found consumer records in hands of criminal gang –Three retailers found in violation of PIPA –While precise failure of security was not identified in each case, retailers all found to have violated PIPA Possible that decisions were justified on basis of retailers’ failure to secure documents, but standard not well expressed in decisions

Mark S. Hayes – Blake, Cassels & Graydon LLP B.C. Investigation Report F06-01 “reasonable” means “objectively diligent and prudent in all of the circumstances” “defining and documenting security arrangements … is diligent and prudent practice” “fact that a generally-accepted and proven practice has been followed may be strong evidence of prudence and diligence in protecting personal information, but it is not determinative” Encryption of electronic records may be important

Mark S. Hayes – Blake, Cassels & Graydon LLP B.C. Investigation Report F06-01 (2) “risk of a privacy breach due to criminal activity or other intentional wrongdoing is contemplated in assessing reasonable security arrangements” Cost of additional security may be an issue Also see B.C. Investigation Report F06-02 Clearly the BCPC’s nuanced and objective approach seems more appropriate than the “breach means unreasonable” approach seen in other cases

Mark S. Hayes – Blake, Cassels & Graydon LLP Recent Alberta PIPA Cases To determine what security measures are reasonable, must look at: –medium information is stored on –sensitivity of information –industry standards or practices –foreseeability of unauthorized access or disclosure (including possibility of criminal activity) –cost of additional measures vs. additional level of security they would provide E.g. recommended that all personal information on laptop computers should be encrypted

Mark S. Hayes – Blake, Cassels & Graydon LLP Notification of Security Breaches Only Ontario PHIPA requires to notification after security breach involving personal information Most privacy commissioners support imposition of notification obligation In F06-02, BCPC concluded that “A public body should, following a data loss or theft, conduct a prompt assessment of any risks posed thereby. If the public body concludes that notification is appropriate, … it should prepare a notification strategy and execute it.”

Mark S. Hayes – Blake, Cassels & Graydon LLP Notification of Security Breaches (2) In many U.S. states, notification is mandatory except in limited circumstances In Victoria, Australia, privacy commissioner has implied an obligation that notification should be the rule, absent exceptional circumstances Issues with notification: –cost of notification –breach does not mean privacy risk –over-notification causes more damage than breach –constant notification  desensitivization Issue is on table for PIPEDA review

Mark S. Hayes – Blake, Cassels & Graydon LLP Questions? For a copy of these slides, just ask!