Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and Security Workshop - Toronto November 3, 2006

Mark S. Hayes – Blake, Cassels & Graydon LLP Conundrums of Security and Privacy 1.  Security =  Privacy 2.Security ≠ Privacy 3.  Security =  Privacy

Mark S. Hayes – Blake, Cassels & Graydon LLP Security =  Privacy Must be able to secure and protect personal information in your possession or control May be different from usual internal security Include “right to know” internally and require different controls Passwording, encryption

Mark S. Hayes – Blake, Cassels & Graydon LLP Security ≠ Privacy Security for PI is a necessary but not sufficient condition for privacy compliance PI can be secure but used improperly or disclosed to inappropriate persons (both inside and outside organization) Security of PI is only one part of privacy compliance program

Mark S. Hayes – Blake, Cassels & Graydon LLP Security =  Privacy Anonymity and encryption: Bad for security Good for privacy One of the most important elements of a good security program is “know your users” However, must collect and use information with consent to comply with privacy regulations Must understand nature of trade-offs

Mark S. Hayes – Blake, Cassels & Graydon LLP Hayes’ Laws of Privacy and Technology 1.Technology will always enable you to do more than you are allowed to do 2.Technology will often restrict you from doing something that you are required to do 3.You will always discover the application of each of these laws right after an expensive technology implementation project is completed

Mark S. Hayes – Blake, Cassels & Graydon LLP Security Breaches PIPEDA security standards vague –Principle 4.7: “Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.” –Alberta PIPA slightly more detailed: “protect personal information... by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction” Seem to use objective standard

Mark S. Hayes – Blake, Cassels & Graydon LLP Some Security Cases PIPEDA decisions: strict liability “disclosure is breach” test PIPEDA Case #277 (2004) –“To” line used rather than “BCC” line in –sub-contractor had appropriate safeguards in place –“company did not meet the requirements of Principle 4.7.1” PIPEDA Case Summary #289 –Laptop containing customer’s banking information stolen from bank’s financial advisor’s car –Laptop equipped with security features (including password protection) –Bank’s laptop security policy PIPEDA-compliant –Bank still in breach

Mark S. Hayes – Blake, Cassels & Graydon LLP More Security Cases Alberta trio of 2005 cases used similar standards Linens ‘N Things, Nor-Don Collection Network Inc., Digital Communications Group Inc. –Police found consumer records in hands of criminal gang –Three retailers found in violation of PIPA –While precise failure of security was not identified in each case, retailers all found to have violated PIPA Possible that decisions were justified on basis of retailers’ failure to secure documents, but standard not well expressed in decisions

Mark S. Hayes – Blake, Cassels & Graydon LLP B.C. Investigation Report F06-01 “reasonable” means “objectively diligent and prudent in all of the circumstances” “defining and documenting security arrangements … is diligent and prudent practice” “fact that a generally-accepted and proven practice has been followed may be strong evidence of prudence and diligence in protecting personal information, but it is not determinative” Encryption of electronic records may be important

Mark S. Hayes – Blake, Cassels & Graydon LLP B.C. Investigation Report F06-01 (2) “risk of a privacy breach due to criminal activity or other intentional wrongdoing is contemplated in assessing reasonable security arrangements” Cost of additional security may be an issue Also see B.C. Investigation Report F06-02 Clearly the BCPC’s nuanced and objective approach seems more appropriate than the “breach means unreasonable” approach seen in other cases

Mark S. Hayes – Blake, Cassels & Graydon LLP Recent Alberta PIPA Cases To determine what security measures are reasonable, must look at: –medium information is stored on –sensitivity of information –industry standards or practices –foreseeability of unauthorized access or disclosure (including possibility of criminal activity) –cost of additional measures vs. additional level of security they would provide E.g. recommended that all personal information on laptop computers should be encrypted

Mark S. Hayes – Blake, Cassels & Graydon LLP Notification of Security Breaches Only Ontario PHIPA requires to notification after security breach involving personal information Most privacy commissioners support imposition of notification obligation In F06-02, BCPC concluded that “A public body should, following a data loss or theft, conduct a prompt assessment of any risks posed thereby. If the public body concludes that notification is appropriate, … it should prepare a notification strategy and execute it.”

Mark S. Hayes – Blake, Cassels & Graydon LLP Notification of Security Breaches (2) In many U.S. states, notification is mandatory except in limited circumstances In Victoria, Australia, privacy commissioner has implied an obligation that notification should be the rule, absent exceptional circumstances Issues with notification: –cost of notification –breach does not mean privacy risk –over-notification causes more damage than breach –constant notification  desensitivization Issue is on table for PIPEDA review

Mark S. Hayes – Blake, Cassels & Graydon LLP Questions? For a copy of these slides, just ask!