Privacy commissioners reveal how egregious employee snooping has become

Cases of egregious employee “snooping” in Alberta have exploded to the point where some affected individuals won’t even seek health treatment within their communities anymore, the province’s privacy commissioner said at a conference Friday.

Jill Clayton, Alberta’s information and privacy commissioner, told attendees of NetDiligence’s Cyber Risk Summit in Toronto that her office used to see five or six active offence investigations at any given time. “Right now, we’ve got about 50 flagged offences and 20 to 25 active offences, and three matters are before the courts,” she said Friday during a panel discussion entitled “Canadian Regulatory and Litigation Update.”

Snooping on a person’s records is a major source of concern, Clayton reported. “You’re supposed to go in there on a need-to-know basis, but some people seem to think it’s their reading material,” she said.

Snoopers run the gamut from generally curious people to individuals in dysfunctional family relationships. Ex-wives or ex-husbands, for example, will look at health information and share it with friends, family and even their church group. To say nothing of the people looking up information about elected officials and VIPs. Plus, snooping cases have been linked to custodial sentences, house arrest, or even criminal charges, Clayton said.

“We’ve seen that some of these affected individuals won’t seek health treatment within their communities anymore,” she reported. “You can’t hardly blame them. We’ve got victim impact statements where people will say, ‘I will not seek treatment for certain kinds of issues.’”

In contrast to earlier convictions, courts are now more likely to take away a snooper’s access to health information for a one-year period, Clayton observed. Fines have ranged from about $3,500 up to $8,000 in the last year; a few years ago, the court issued one fine for $15,000 and another for $20,000, Clayton said.

Mandatory breach reporting came into force for Alberta’s health sector in August 2018. The province has had mandatory breach reporting and notification in place for the private sector since May 2010. However, unlike the private sector threshold of a “real risk of significant harm,” the threshold is lower for the health sector: A risk of harm to an individual as a result of a loss or unauthorized access or disclosure.

For the three years leading up to the health sector amendments in 2018, Alberta’s privacy commissioner saw about 130 reports a year. After the changes, Clayton said she was expecting about 620 reports a year. But “it turns out we are getting about 1,100 a year, which is kind of shocking,” she said.

Abubakar Khan, director of the Office of the Privacy Commissioner of Canada’s business advisory directorate, agrees that employee snooping remains a major privacy concern for businesses.

“Employee snooping is alive and well, and it’s thriving,” Khan said during the panel discussion. “Companies are quite aware of it. Some of it is still inquisitiveness, but it is beyond inquisitiveness. Some of the early indications…are that there could be economic reasons or incentives for individuals to realize that there is value in data.” He advised companies to “pay close attention to your internal threats.”

Khan was asked by moderator Katherine Kolnhofer, a partner at Bell Temple LLP, about trends he has observed since Canada’s mandatory breach notification regulations took effect about a year and a half ago. “Unauthorized access,” Kahn replied, referring to things like malware, credential stuffing, employee snooping, and social engineering incidents. “These last two I’ve been told are substantial.” Unauthorized access to information now accounts for 62% of privacy incidents reported, Khan said.

And while there has been a bit of a tendency to over-report out of an abundance of caution, three industries – financial, retail and telecommunication – constitute the majority of breach reports. “If you put in insurance, I think they were 8% of the total reported incidents,” Khan said. “You’re looking at two-thirds of all Canadian mandatory reports in a 12-month period just coming from these four sectors.”