How to manage and disclose data breaches

Bill C-12 calls for the enactment of an obligation to disclose breaches to privacy commissioner

 By Jean-François De Rico, Special to The Gazette March 27, 2012

Data breaches – at least those that are accounted for – are on the rise.

The 2012 Verizon Data Breach Investigations Report released last week demonstrates that data security breaches are happening much more frequently and across a wide range of industries, including financial services, retail, hospitality and manufacturing.

The annual study pointed to 855 breach incidents in 2011, 174 million compromised records, and a huge increase in the theft of information that could be used to identify a person. The study was conducted by global telecom Verizon Communications Inc. along with the United States Secret Service and the Dutch National High Tech Crime Unit, and included input from law enforcement agencies in Australia, the United Kingdom and Ireland.

One huge attack on Sony Corp.’s PlayStation Network, Qriocity systems and online entertainment platform involved 101.6 million user accounts and gave hackers access to such personal data as customer names, birth dates, street addresses, telephone numbers, email addresses and log-in names.

Separately, the Privacy Rights Clearinghouse, a non-profit consumer advocacy and education centre based in San Diego, has indexed 2,976 data breaches since 2005.

Given that data breaches can have obvious negative effects on the reputation of an organization and cause serious prejudice to its business, clients and employees, the adoption, implementation and audit of business-wide policies pertaining to the use of information technology (IT) and data processing are essential.

Organizations are also likely to soon be subject to a breach notification obligation.

Proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) will impose data breach notifications.

Introduced in the House of Commons in September 2011, Bill C-12 calls for the enactment of an obligation to disclose data breaches to the Privacy Commissioner of Canada, as well as an obligation to disclose to the individuals concerned in cases where the breach presents an important risk of prejudice, such as financial loss, impact on credit record and identity theft. Canada is thus following the lead of a majority of American state legislatures that have enacted such provisions.

Canadian businesses that are subject to PIPEDA’s application should adopt policies setting forth the procedure to follow in the event of a breach.

Such incidents require a rapid and immediate response to limit the risk of prejudice to the individuals concerned, and many large organizations have implemented data breach notification processes in accordance with best practices.

In Quebec, PIPEDA only applies to businesses operating in fields that are under federal jurisdiction, but we can anticipate that Quebec will introduce a similar obligation in the course of the next review of its law for the protection of personal information in the private sector.

In its last report, published in June 2011, the Quebec Commission d’accès à l’information recommended that the private sector act be amended to add an obligation to report security breaches pertaining to personal information. Public consultations on the report are to be held by a National Assembly committee in the coming months, after which the committee will make a recommendation as to the need and opportunity to make amendments to the act.

Aside from the privacy-specific concern raised by information security, the United States Securities and Exchange Commission recently issued guidance on the obligation to disclose cybersecurity risks. Although it does not have regulation status, the SEC’s guide indicates that an issuer (any public company subject to SEC jurisdiction) has the obligation to consider and take into account cybersecurity when drawing up any statements of risk disclosure.

Securities issuers, as well as all organizations operating in regulated industries, should be prepared for tougher regulations and obligations governing cybersecurity risks – not just for stored personal information but all types of business-sensitive information.

IT systems can never totally preclude the risks that user behaviour and hackers represent. That is why all businesses should consider a review of existing policies and practices to efficiently manage this risk and draw up or tailor policies for their IT and data processing systems – and a system to monitor them.

Lawyer Jean-François De Rico practices mainly in information technology law at Langlois Kronström Desjardins LLP. He advises organizations on governance and compliance agreements, the outsourcing of IT services and information and document management. He is also an active member of Lexing, the first international network of lawyers dedicated to technology law.

Share

No comments yet.

Leave a Reply

Twitter widget by Rimon Habib - BuddyPress Expert Developer