Recent Lessons in Preparing for and Responding to Security Breaches
Target recently acknowledged that it suffered a massive security breach over the holiday season between November 27 and December 15. The result of the breach was that over 110 million credit and debit accounts which include customer names, credit and debit card numbers, card expiration dates and the three-digit security codes were stolen.
It was discovered during the investigation into the breach that the security breach was caused by a sophisticated malware that had the ability to infect individual point of sale devices, monitor data processes on the devices, then transmit the data outside of the retailer. The sophistication of the malware caused the U.S. Homeland Security to issue a warning to retailers.
Similarly, Neiman Marcus also recently reported it was the victim of a breach caused by malware that stole in at least 1.1 million credit and debit cards over the course of several months.
In the wake of massive security breaches reported by Target and Neiman Marcus, now may be a good time for businesses, in particularly, retailers, to re-acquaint themselves with the applicable Canadian statutory framework for the protection of personal information as well as implement or update policies and procedures around breach detection and notification.
Statutory Breach Notification Requirements
Alberta’s Personal Information Protection Act (PIPA) was the first piece of Canadian legislation to require mandatory security breach notification in the private (non-health) sector. Under PIPA, businesses are required to notify the Alberta Privacy Commissioner whenever there exists a real risk of significant harm to an individual as a result of a breach.
Recently, Manitoba enacted the Personal Information Protection and Identity Theft Prevention Act (PIPITPA) and became the second province to require mandatory security breach notification in the private (non-health) sector. Under PIPITPA, an organization is obligated to notify the individual directly if personal information is lost, accessed or disclosed without authorization. This is different than the mandatory privacy-breach notification required under PIPA where organizations are required to first notify the province’s Privacy Commissioner, and not the individual. For more information PIPITPA, see our blog on PIPITPA.
In addition, under proposed amendments to the Federal Personal Information Protection and Electronic Data Act (PIPEDA), businesses would have to notify the federal Privacy Commissioner in the event of any material breach. This requirement appears more broadly worded than PIPA’s notification requirement. Businesses, under the proposed amendments, will also be required to directly notify individuals for whom it is likely that breach creates a real risk of significant harm. By contrast, under PIPA, the Alberta Privacy Commissioner determines whether notification to individuals is required under the Act.
Guidelines for Protecting Personal Information
As legislative amendments are undertaken to address privacy issues, businesses will encounter increased compliance requirements. Here are some guidelines that may assist businesses in protecting data containing personal information and limit privacy liability:
- Develop a breach protocol that is amended periodically to account for improvements in technology.
- Incorporate a notification procedure in the breach protocol in order to report breaches to the applicable Privacy Commissioner. Even in jurisdictions where such notification is not strictly required by law, it may be advisable to notify the Privacy Commissioner (or affected individuals) of data breaches where such notification to Privacy Commissioners or individuals would help mitigate the harm arising from the breach.
- Ensure that all contracts with third parties include provisions that require the third party contractor to immediately inform the organization of any breach or suspected breach. Inform third parties of the breach protocol once it is developed.
- Ensure that record retention and destruction policies comply with existing privacy law requirements. To ensure compliance, destroy or ‘anonymize’ all personal information once it is no longer needed or legally required to be retained.
- Undertake employee training initiatives to ensure familiarity and compliance with all policies and practices.
For businesses that are looking to develop policies and procedures the following guidelines may be of assistance:
- Build a security program that protects the confidentiality, integrity, and availability of all information, not just personal information.
- Develop classification standards so that personal and non-personal information, as well as, sensitive and non-sensitive personal information can be easily identified.
- Ensure that proper security controls are in place and conduct risk assessments of all personal information.
For more tips on how to prepare and respond to privacy breaches, see our article on privacy breach reporting.
breach protocol Personal Information Protection Act Personal Information Protection and Identity Theft Prevention Act PIPA Privacy Commissioner Security Breaches Target