In the wake of security breaches reported at LinkedIn and eHarmony, now may be a good time for businesses to re-acquaint themselves with the applicable statutory framework for the protection of personal information in Canada as well as implement or update policies and procedures around breach detection and notification.
Reports of Recent Security Breaches
On Wednesday, June 6, 2012, both LinkedIn, a social networking site with 160 million users, and eHarmony, an online dating site with 20 million users, reported significant security breaches. The result of these breaches was that user passwords, over 6 million from LinkedIn and 1.5 million from eHarmony, were reportedly posted in online forums.
Statutory Breach Notification Requirements
Alberta’s Personal Information Protection Act (PIPA) was the first piece of Canadian legislation to require mandatory security breach notification in the private (non-health) sector. Under PIPA, businesses are required to notify the Alberta Privacy Commissioner whenever there exists a real risk of significant harm to an individual as a result of a breach.
Similarly, under proposed amendments to the Federal Personal Information Protection and Electronic Data Act (PIPEDA), businesses would have to notify the federal Privacy Commissioner in the event of any material breach. This requirement appears more broadly worded than PIPA’s notification requirement. Businesses, under the proposed amendments, will also be required to directly notify individuals for whom it is likely that breach creates a real risk of significant harm. By contrast, under PIPA, the Alberta Privacy Commissioner determines whether notification to individuals is required under the Act.
Guidelines for Protecting Personal Information
As legislative amendments are undertaken to address privacy issues, businesses will encounter increased compliance requirements. Here are some guidelines that may assist businesses in protecting data containing personal information and limit privacy liability:
- Develop a breach protocol that is amended periodically to account for improvements in technology.
- Incorporate a notification procedure in the breach protocol in order to report breaches to the applicable Privacy Commissioner. Even in jurisdictions where such notification is not strictly required by law, it may be advisable to notify the Privacy Commissioner (or affected individuals) of data breaches where such notification to Privacy Commissioners or individuals would help mitigate the harm arising from the breach.
- Ensure that all contracts with third parties include provisions that require the third party contractor to immediately inform the organization of any breach or suspected breach. Inform third parties of the breach protocol once it is developed.
- Ensure that record retention and destruction policies comply with existing privacy law requirements. To ensure compliance, destroy or ‘anonymize’ all personal information once it is no longer needed or legally required to be retained.
- Undertake employee training initiatives to ensure familiarity and compliance with all policies and practices.
For businesses that are looking to develop policies and procedures the following guidelines may be of assistance:
- Build a security program that protects the confidentiality, integrity, and availability of all information, not just personal information.
- Develop classification standards so that personal information can be easily identified.
- Ensure that proper security controls are in place and conduct risk assessments of all personal information.
For more tips on how to prepare and respond to privacy breaches, see our article on privacy breach reporting.