April 1, 2019 by Greg Meckbach, Associate Editor
As a Canadian risk manager, your worst nightmare could be employees who fail to delete certain computer files. Or perhaps your employees are browsing through company records for nefarious reasons, or maybe just out of idle curiosity.
All of these situations, common enough occurrences in any workplace, could lead to a lengthy and expensive data breach lawsuit against your company.
The risk has become bigger in recent months, especially because of a key change to the federal Personal Information and Protection of Electronic Documents Act (PIPEDA) that took effect last November.
“Ever since the mandatory breach notification kicked in, two pieces have been challenging for organizations,” says cybersecurity lawyer Imran Ahmad, a Toronto-based partner with Blake, Cassels & Graydon LLP.
The first piece is record keeping.
It is now mandatory for organizations to log every data breach, regardless of whether or not it might cause harm. If such a breach could cause a “real risk of significant harm” (the RROSH test), then the potentially harmed parties must be notified.
“The log is only as good as the information you receive from your front-line employees,” Ahmad observes. “And that’s where it has been a big challenge in terms of educating and informing employees. Often, organizations will assume that if it does not meet what we call the real risk of significant harm or the RROSH test under PIPEDA, then it may not be something they need to log. But the fact is, there is no threshold. So, you need to keep a log.”
A second challenge is complying with different laws across multiple jurisdictions. Violating privacy laws can result in heavy fines and penalties, warns Steve Pottle, the Kamloops, B.C.-based vice president of Risk and Insurance Management Society Inc. (RIMS).
Canada-wide breach notification
Mandatory breach notification can increase your employer’s liability risk, warns David Fraser, a Halifax-based privacy lawyer for McInnes Cooper, who represented Google Inc. in matters before the Privacy Commissioner of Canada.
“I think this is an issue that should be keeping [risk managers] up at night,” Fraser says. “If it’s not high on their radar, it should be. We have seen a significant shift in this area in Canada over the last couple of years, culminating with the coming into force of the amendments made by the Digital Privacy Act that require breach notification and record keeping of all trivial breaches.”
Originally passed into law in 2015, the Digital Privacy Act made some changes to PIPEDA, including mandatory breach notification. In the past, there was no Canada-wide law requiring organizations who were targets of a data breach — involving credit card information, for example — to notify affected individuals.
Right to be forgotten
Another recently-enacted privacy law that might affect your organization is the European General Data Protection Regulation (GDPR), which took effect in May 2018. GDPR gives citizens in all 28 EU countries the right to have their personally identifiable information deleted when it is “no longer necessary in relation to the purposes” for which it was collected.
This “right to be forgotten” will probably become a “new normal across the globe,” as more jurisdictions follow the EU’s lead and create their own versions of GDPR, suggests Pottle, the director of risk management services for Thompson Rivers University.
It may be wise for risk managers to follow the GDPR rules even if they do not think they keep data on EU citizens, Pottle suggests. “Eventually all the jurisdictions are going to catch up to this,” he says. “You have a right, as a member of the EU under this privacy regime, to basically have yourself and your data erased. Companies would then have the responsibility to basically wipe you clean from their database and that alone can be quite onerous.”
When deleting is not deleting
Deleting data on a company system is easier said than done. “Hitting the delete button doesn’t mean it’s off your server,” says Sylvia Kingsmill, partner and national leader, digital privacy and compliance, forensic services at KPMG Canada. “Just look at your iPhone. If you delete a photo, it is still saved and stored for an additional 30 days until it is permanently deleted.”
That said, you have a major liability risk on your hands if you keep computer data longer than necessary — especially if that data is being used for purposes other than for which it was originally collected.
Data destruction policy
This is why many organizations need a data destruction policy, Kingsmill says. “If you are selling widgets and if you are a (business-to-business) company, the risk exposure is very minimal. But if you are business-to-consumer, and if you are collecting individually identifying personal data, sensitive or not, as a best practice you should have a data retention and destruction policy.”
What that policy should say depends on the size and scope of your activities.
The federal Office of the Privacy Commissioner recommends that organizations keep an inventory of the personal information they are retaining. Managers need to ask whether personal information exists in multiple copies and if so where backups and copies are stored.
If information is stored in removable media such as CDs, there is a variety of ways of destroying it – such as incineration, pulverizing, shredding and melting.
A data destruction policy could be as simple as two or three pages, says Kingsmill. “A lot of privacy regulators have templates that can be leveraged if you are a small to mid-sized business and you don’t have the budget to hire someone externally to do that for you.”
As a start, risk managers should have a policy in place spelling out the incidents that must be reported. Employees need to know what’s in the policy. “There is no point in drafting a super-lengthy policy that nobody reads,” says Ahmad. “It could be a couple of pages.”
There is no hard-and-fast rule about how long your policy should be, but it should be customized to your organization to some extent, Ahmad recommends. He also suggests that risk managers prepare a one-page summary of the breach policy for front-line workers.
Second, Blake, Cassels & Graydon recommends that risk managers create an incident intake form, which employees can fill out to report a breach.
Third, risk managers need to ensure employees know that every breach needs to be logged, even if it does not have to be reported. “If you lose a laptop, and all the data was encrypted, and you find the laptop afterwards, that is still an incident that needs to be kept in a log that should hopefully be in the legal department’s purview,” says Ahmad.
Most organizations walk a fine line between data retention and data destruction, Kingmill observes. Companies sometimes need to retain data in case they are sued and need to produce documents for discovery. So being too quick to delete data could turn out to be a bad idea.
Your data destruction policy needs to stipulate how to destroy data so it is not easily reconstructed, and should include the media you can use to store data, said Kingsmill.
Some organizations, for example, do not allow certain sensitive data to be stored on servers, but only on removable media (such as USB sticks) that can be locked in a filing cabinet or safe.
Data destruction policies should be easy to understand without a lot of legalese. “No one is going to read a data destruction policy that is 50 pages long and full of technical IT jargon,” said Kingsmill.
The new requirement to report certain breaches has created new liability risk, warns Fraser. Reputational harm caused by reporting a data breach seems more likely because of the speed and extent of modern-day communications. “If you have to send a message to 10,000 customers that something has happened with their information, almost certainly one of those 10,000 is going to be a reporter and you are not going to stay under the radar,” says Fraser. “There is a very strong likelihood that one of those people is, works for, or knows a class action lawyer. We have seen an explosion in privacy class actions over the last number of years.”
This explosion was triggered in part by Jones v. Tsige, a Court of Appeal for Ontario ruling that recognized intrusion upon seclusion as a tort. The case arose when Winnie Tsige, a Bank of Montreal worker, accessed the bank records of co-worker Sandra Jones. Jones sued Tsige and was awarded $10,000 by the Court of Appeal for Ontario.
Curiosity killed the bottom line
The Bank of Montreal was not a party in Jones v. Tsige, but the significance for risk managers is that a plaintiff can be awarded thousands of dollars if their privacy is breached, even if they suffered no economic loss.
“Intrusion upon seclusion put privacy torts squarely on the radar for class-action lawyers, so most notifications of any significance will likely result in class-action lawsuits,” Fraser says. “There have been a number of insider-snooping cases, in which curious employees have gone poking through the records of others; that often results in damages of $1,000 bucks per person snooped upon.”
In the event of a privacy breach, an organization could be sued for negligence, breach of confidence, breach of fiduciary duty or breach of contract, said Fraser. And it’s not just an individual’s personal information that can be compromised in a breach. “You could have confidential information belonging to another party,” says Ahmad. “It could be intellectual property, it could be the design of a product, it could be a joint venture, it could be client lists – it could be a variety of things….
“So, do you as an organization have an obligation to give a heads-up to that vendor who may be the target? We have seen a lot of that these days. The number of inbox or email compromises has increased significantly.”.